2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35 #include "connection.h"
50 #define MAX(a, b) ((a) > (b) ? (a) : (b))
55 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
58 static void send_udppacket(node_t *, vpn_packet_t *);
60 unsigned replaywin = 16;
61 bool localdiscovery = true;
62 bool udp_discovery = true;
63 int udp_discovery_interval = 9;
64 int udp_discovery_timeout = 30;
66 #define MAX_SEQNO 1073741824
68 static void send_udp_probe_packet(node_t *n, int len) {
70 packet.offset = DEFAULT_PACKET_OFFSET;
71 memset(DATA(&packet), 0, 14);
72 randomize(DATA(&packet) + 14, len - 14);
76 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %d to %s (%s)", len, n->name, n->hostname);
78 send_udppacket(n, &packet);
81 static void send_mtu_probe_handler(void *data) {
84 if(!n->status.reachable || !n->status.validkey) {
85 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
90 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
91 mtuprobes == 31: sleep pinginterval seconds
92 mtuprobes == 32: send 1 burst, sleep pingtimeout second
93 mtuprobes == 33: no response from other side, restart PMTU discovery process */
98 if(n->mtuprobes > 32) {
101 timeout = pinginterval;
105 logger(DEBUG_TRAFFIC, LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
106 n->status.udp_confirmed = false;
112 if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
113 logger(DEBUG_TRAFFIC, LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
117 if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
118 if(n->minmtu > n->maxmtu)
119 n->minmtu = n->maxmtu;
121 n->maxmtu = n->minmtu;
123 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
127 if(n->mtuprobes == 31) {
128 timeout = pinginterval;
130 } else if(n->mtuprobes == 32) {
131 timeout = pingtimeout;
134 /* After the initial discovery, a fourth packet is added to each batch with a
135 size larger than the currently known PMTU, to test if the PMTU has increased. */
136 if (n->mtuprobes >= 30 && n->maxmtu + 8 < MTU)
137 send_udp_probe_packet(n, n->maxmtu + 8);
139 /* Probes are sent in batches of three, with random sizes between the
140 lower and upper boundaries for the MTU thus far discovered. */
141 for (int i = 0; i < 3; i++) {
143 if(n->minmtu < n->maxmtu)
144 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
146 send_udp_probe_packet(n, MAX(len, 64));
149 n->probe_counter = 0;
150 gettimeofday(&n->probe_time, NULL);
152 /* Calculate the packet loss of incoming traffic by comparing the rate of
153 packets received to the rate with which the sequence number has increased.
156 if(n->received > n->prev_received)
157 n->packetloss = 1.0 - (n->received - n->prev_received) / (float)(n->received_seqno - n->prev_received_seqno);
159 n->packetloss = n->received_seqno <= n->prev_received_seqno;
161 n->prev_received_seqno = n->received_seqno;
162 n->prev_received = n->received;
165 timeout_set(&n->mtutimeout, &(struct timeval){timeout, rand() % 100000});
168 void send_mtu_probe(node_t *n) {
169 timeout_add(&n->mtutimeout, send_mtu_probe_handler, n, &(struct timeval){1, 0});
170 send_mtu_probe_handler(n);
173 static void udp_probe_timeout_handler(void *data) {
175 if(!n->status.udp_confirmed)
178 logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
179 n->status.udp_confirmed = false;
185 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
186 if(!DATA(packet)[0]) {
187 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
189 /* It's a probe request, send back a reply */
191 /* Type 2 probe replies were introduced in protocol 17.3 */
192 if ((n->options >> 24) >= 3) {
193 uint8_t *data = DATA(packet);
195 uint16_t len16 = htons(len); memcpy(data, &len16, 2); data += 2;
197 gettimeofday(&now, NULL);
198 uint32_t sec = htonl(now.tv_sec); memcpy(data, &sec, 4); data += 4;
199 uint32_t usec = htonl(now.tv_usec); memcpy(data, &usec, 4); data += 4;
202 /* Legacy protocol: n won't understand type 2 probe replies. */
206 /* Temporarily set udp_confirmed, so that the reply is sent
207 back exactly the way it came in. */
209 bool udp_confirmed = n->status.udp_confirmed;
210 n->status.udp_confirmed = true;
211 send_udppacket(n, packet);
212 n->status.udp_confirmed = udp_confirmed;
214 length_t probelen = len;
215 if (DATA(packet)[0] == 2) {
217 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) UDP probe reply from %s (%s)", n->name, n->hostname);
219 uint16_t probelen16; memcpy(&probelen16, DATA(packet) + 1, 2); probelen = ntohs(probelen16);
222 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], probelen, n->name, n->hostname);
224 /* It's a valid reply: now we know bidirectional communication
225 is possible using the address and socket that the reply
227 n->status.udp_confirmed = true;
230 timeout_del(&n->udp_ping_timeout);
231 timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval){udp_discovery_timeout, 0});
234 /* If we haven't established the PMTU yet, restart the discovery process. */
236 if(n->mtuprobes > 30) {
237 if (probelen == n->maxmtu + 8) {
238 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
250 /* If applicable, raise the minimum supported MTU */
252 if(probelen > n->maxmtu)
253 probelen = n->maxmtu;
254 if(n->minmtu < probelen)
255 n->minmtu = probelen;
257 /* Calculate RTT and bandwidth.
258 The RTT is the time between the MTU probe burst was sent and the first
259 reply is received. The bandwidth is measured using the time between the
260 arrival of the first and third probe reply (or type 2 probe requests).
263 struct timeval now, diff;
264 gettimeofday(&now, NULL);
265 timersub(&now, &n->probe_time, &diff);
267 struct timeval probe_timestamp = now;
268 if (DATA(packet)[0] == 2 && packet->len >= 11) {
269 uint32_t sec; memcpy(&sec, DATA(packet) + 3, 4);
270 uint32_t usec; memcpy(&usec, DATA(packet) + 7, 4);
271 probe_timestamp.tv_sec = ntohl(sec);
272 probe_timestamp.tv_usec = ntohl(usec);
277 if(n->probe_counter == 1) {
278 n->rtt = diff.tv_sec + diff.tv_usec * 1e-6;
279 n->probe_time = probe_timestamp;
280 } else if(n->probe_counter == 3) {
281 struct timeval probe_timestamp_diff;
282 timersub(&probe_timestamp, &n->probe_time, &probe_timestamp_diff);
283 n->bandwidth = 2.0 * probelen / (probe_timestamp_diff.tv_sec + probe_timestamp_diff.tv_usec * 1e-6);
284 logger(DEBUG_TRAFFIC, LOG_DEBUG, "%s (%s) RTT %.2f ms, burst bandwidth %.3f Mbit/s, rx packet loss %.2f %%", n->name, n->hostname, n->rtt * 1e3, n->bandwidth * 8e-6, n->packetloss * 1e2);
289 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
291 memcpy(dest, source, len);
293 } else if(level == 10) {
295 lzo_uint lzolen = MAXSIZE;
296 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
301 } else if(level < 10) {
303 unsigned long destlen = MAXSIZE;
304 if(compress2(dest, &destlen, source, len, level) == Z_OK)
311 lzo_uint lzolen = MAXSIZE;
312 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
322 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
324 memcpy(dest, source, len);
326 } else if(level > 9) {
328 lzo_uint lzolen = MAXSIZE;
329 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
337 unsigned long destlen = MAXSIZE;
338 if(uncompress(dest, &destlen, source, len) == Z_OK)
350 static void receive_packet(node_t *n, vpn_packet_t *packet) {
351 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
352 packet->len, n->name, n->hostname);
355 n->in_bytes += packet->len;
360 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
362 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
364 #ifdef DISABLE_LEGACY
367 if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
370 return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest));
374 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
375 vpn_packet_t pkt1, pkt2;
376 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
379 pkt1.offset = DEFAULT_PACKET_OFFSET;
380 pkt2.offset = DEFAULT_PACKET_OFFSET;
382 if(n->status.sptps) {
383 if(!n->sptps.state) {
384 if(!n->status.waitingforkey) {
385 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
388 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
392 inpkt->offset += 2 * sizeof(node_id_t);
393 if(!sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len - 2 * sizeof(node_id_t))) {
394 logger(DEBUG_TRAFFIC, LOG_ERR, "Got bad packet from %s (%s)", n->name, n->hostname);
400 #ifdef DISABLE_LEGACY
403 if(!n->status.validkey) {
404 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
408 /* Check packet length */
410 if(inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
411 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
412 n->name, n->hostname);
416 /* It's a legacy UDP packet, the data starts after the seqno */
418 inpkt->offset += sizeof(seqno_t);
420 /* Check the message authentication code */
422 if(digest_active(n->indigest)) {
423 inpkt->len -= digest_length(n->indigest);
424 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
425 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
429 /* Decrypt the packet */
431 if(cipher_active(n->incipher)) {
432 vpn_packet_t *outpkt = pkt[nextpkt++];
435 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
436 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
440 outpkt->len = outlen;
444 /* Check the sequence number */
447 memcpy(&seqno, SEQNO(inpkt), sizeof seqno);
448 seqno = ntohl(seqno);
449 inpkt->len -= sizeof seqno;
452 if(seqno != n->received_seqno + 1) {
453 if(seqno >= n->received_seqno + replaywin * 8) {
454 if(n->farfuture++ < replaywin >> 2) {
455 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
456 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
459 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
460 seqno - n->received_seqno - 1, n->name, n->hostname);
461 memset(n->late, 0, replaywin);
462 } else if (seqno <= n->received_seqno) {
463 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
464 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
465 n->name, n->hostname, seqno, n->received_seqno);
469 for(int i = n->received_seqno + 1; i < seqno; i++)
470 n->late[(i / 8) % replaywin] |= 1 << i % 8;
475 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
478 if(seqno > n->received_seqno)
479 n->received_seqno = seqno;
483 if(n->received_seqno > MAX_SEQNO)
486 /* Decompress the packet */
488 length_t origlen = inpkt->len;
490 if(n->incompression) {
491 vpn_packet_t *outpkt = pkt[nextpkt++];
493 if((outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression)) < 0) {
494 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
495 n->name, n->hostname);
501 origlen -= MTU/64 + 20;
506 if(!DATA(inpkt)[12] && !DATA(inpkt)[13])
507 udp_probe_h(n, inpkt, origlen);
509 receive_packet(n, inpkt);
514 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
516 outpkt.offset = DEFAULT_PACKET_OFFSET;
518 if(len > sizeof outpkt.data - outpkt.offset)
522 if(c->options & OPTION_TCPONLY)
525 outpkt.priority = -1;
526 memcpy(DATA(&outpkt), buffer, len);
528 receive_packet(c->node, &outpkt);
531 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
532 if(!n->status.validkey && !n->connection)
538 if(!(DATA(origpkt)[12] | DATA(origpkt)[13])) {
539 sptps_send_record(&n->sptps, PKT_PROBE, (char *)DATA(origpkt), origpkt->len);
543 if(routing_mode == RMODE_ROUTER)
548 if(origpkt->len < offset)
553 if(n->outcompression) {
555 int len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
557 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
558 } else if(len < origpkt->len - offset) {
559 outpkt.len = len + offset;
561 type |= PKT_COMPRESSED;
565 /* If we have a direct metaconnection to n, and we can't use UDP, then
566 don't bother with SPTPS and just use a "plaintext" PACKET message.
567 We don't really care about end-to-end security since we're not
568 sending the message through any intermediate nodes. */
569 if(n->connection && origpkt->len > n->minmtu)
570 send_tcppacket(n->connection, origpkt);
572 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
576 static void adapt_socket(const sockaddr_t *sa, int *sock) {
577 /* Make sure we have a suitable socket for the chosen address */
578 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
579 for(int i = 0; i < listen_sockets; i++) {
580 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
588 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
593 /* If the UDP address is confirmed, use it. */
594 if(n->status.udp_confirmed)
597 /* Send every third packet to n->address; that could be set
598 to the node's reflexive UDP address discovered during key
607 /* Otherwise, address are found in edges to this node.
608 So we pick a random edge and a random socket. */
611 int j = rand() % n->edge_tree->count;
612 edge_t *candidate = NULL;
614 for splay_each(edge_t, e, n->edge_tree) {
616 candidate = e->reverse;
622 *sa = &candidate->address;
623 *sock = rand() % listen_sockets;
626 adapt_socket(*sa, sock);
629 static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
632 /* Pick one of the edges from this node at random, then use its local address. */
635 int j = rand() % n->edge_tree->count;
636 edge_t *candidate = NULL;
638 for splay_each(edge_t, e, n->edge_tree) {
645 if (candidate && candidate->local_address.sa.sa_family) {
646 *sa = &candidate->local_address;
647 *sock = rand() % listen_sockets;
648 adapt_socket(*sa, sock);
652 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
653 vpn_packet_t pkt1, pkt2;
654 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
655 vpn_packet_t *inpkt = origpkt;
657 vpn_packet_t *outpkt;
658 int origlen = origpkt->len;
660 #if defined(SOL_IP) && defined(IP_TOS)
661 static int priority = 0;
662 int origpriority = origpkt->priority;
665 pkt1.offset = DEFAULT_PACKET_OFFSET;
666 pkt2.offset = DEFAULT_PACKET_OFFSET;
668 if(!n->status.reachable) {
669 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
674 return send_sptps_packet(n, origpkt);
676 #ifdef DISABLE_LEGACY
679 /* Make sure we have a valid key */
681 if(!n->status.validkey) {
682 logger(DEBUG_TRAFFIC, LOG_INFO,
683 "No valid key known yet for %s (%s), forwarding via TCP",
684 n->name, n->hostname);
685 send_tcppacket(n->nexthop->connection, origpkt);
689 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
690 logger(DEBUG_TRAFFIC, LOG_INFO,
691 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
692 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
695 send_packet(n->nexthop, origpkt);
697 send_tcppacket(n->nexthop->connection, origpkt);
702 /* Compress the packet */
704 if(n->outcompression) {
705 outpkt = pkt[nextpkt++];
707 if((outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression)) < 0) {
708 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
709 n->name, n->hostname);
716 /* Add sequence number */
718 seqno_t seqno = htonl(++(n->sent_seqno));
719 memcpy(SEQNO(inpkt), &seqno, sizeof seqno);
720 inpkt->len += sizeof seqno;
722 /* Encrypt the packet */
724 if(cipher_active(n->outcipher)) {
725 outpkt = pkt[nextpkt++];
728 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
729 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
733 outpkt->len = outlen;
737 /* Add the message authentication code */
739 if(digest_active(n->outdigest)) {
740 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
741 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
745 inpkt->len += digest_length(n->outdigest);
748 /* Send the packet */
750 const sockaddr_t *sa = NULL;
753 if(n->status.send_locally)
754 choose_local_address(n, &sa, &sock);
756 choose_udp_address(n, &sa, &sock);
758 #if defined(SOL_IP) && defined(IP_TOS)
759 if(priorityinheritance && origpriority != priority
760 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
761 priority = origpriority;
762 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
763 if(setsockopt(listen_socket[n->sock].udp.fd, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
764 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
768 if(sendto(listen_socket[sock].udp.fd, SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
769 if(sockmsgsize(sockerrno)) {
770 if(n->maxmtu >= origlen)
771 n->maxmtu = origlen - 1;
772 if(n->mtu >= origlen)
773 n->mtu = origlen - 1;
775 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
779 origpkt->len = origlen;
783 static bool send_sptps_data_priv(node_t *to, node_t *from, int type, const void *data, size_t len) {
784 node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
785 bool direct = from == myself && to == relay;
786 bool relay_supported = (relay->options >> 24) >= 4;
787 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
789 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU.
790 TODO: When relaying, the original sender does not know the end-to-end PMTU (it only knows the PMTU of the first hop).
791 This can lead to scenarios where large packets are sent over UDP to relay, but then relay has no choice but fall back to TCP. */
793 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
794 char buf[len * 4 / 3 + 5];
795 b64encode(data, buf, len);
796 /* If no valid key is known yet, send the packets using ANS_KEY requests,
797 to ensure we get to learn the reflexive UDP address. */
798 if(from == myself && !to->status.validkey) {
799 to->incompression = myself->incompression;
800 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
802 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, REQ_SPTPS, buf);
807 if(relay_supported) overhead += sizeof to->id + sizeof from->id;
808 char buf[len + overhead]; char* buf_ptr = buf;
809 if(relay_supported) {
811 /* Inform the recipient that this packet was sent directly. */
812 node_id_t nullid = {};
813 memcpy(buf_ptr, &nullid, sizeof nullid); buf_ptr += sizeof nullid;
815 memcpy(buf_ptr, &to->id, sizeof to->id); buf_ptr += sizeof to->id;
817 memcpy(buf_ptr, &from->id, sizeof from->id); buf_ptr += sizeof from->id;
820 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
821 memcpy(buf_ptr, data, len); buf_ptr += len;
823 const sockaddr_t *sa = NULL;
825 if(relay->status.send_locally)
826 choose_local_address(relay, &sa, &sock);
828 choose_udp_address(relay, &sa, &sock);
829 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
830 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
831 if(sockmsgsize(sockerrno)) {
832 // Compensate for SPTPS overhead
833 len -= SPTPS_DATAGRAM_OVERHEAD;
834 if(relay->maxmtu >= len)
835 relay->maxmtu = len - 1;
836 if(relay->mtu >= len)
837 relay->mtu = len - 1;
839 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
847 bool send_sptps_data(void *handle, uint8_t type, const void *data, size_t len) {
848 return send_sptps_data_priv(handle, myself, type, data, len);
851 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
852 node_t *from = handle;
854 if(type == SPTPS_HANDSHAKE) {
855 if(!from->status.validkey) {
856 from->status.validkey = true;
857 from->status.waitingforkey = false;
858 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
864 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
869 inpkt.offset = DEFAULT_PACKET_OFFSET;
871 if(type == PKT_PROBE) {
873 memcpy(DATA(&inpkt), data, len);
874 udp_probe_h(from, &inpkt, len);
878 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
879 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
883 /* Check if we have the headers we need */
884 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
885 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
887 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
888 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
891 int offset = (type & PKT_MAC) ? 0 : 14;
892 if(type & PKT_COMPRESSED) {
893 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
897 inpkt.len = ulen + offset;
899 if(inpkt.len > MAXSIZE)
902 memcpy(DATA(&inpkt) + offset, data, len);
903 inpkt.len = len + offset;
906 /* Generate the Ethernet packet type if necessary */
908 switch(DATA(&inpkt)[14] >> 4) {
910 DATA(&inpkt)[12] = 0x08;
911 DATA(&inpkt)[13] = 0x00;
914 DATA(&inpkt)[12] = 0x86;
915 DATA(&inpkt)[13] = 0xDD;
918 logger(DEBUG_TRAFFIC, LOG_ERR,
919 "Unknown IP version %d while reading packet from %s (%s)",
920 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
925 receive_packet(from, &inpkt);
929 // This function tries to get SPTPS keys, if they aren't already known.
930 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
931 static void try_sptps(node_t *n) {
932 if(n->status.validkey)
935 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
937 if(!n->status.waitingforkey)
939 else if(n->last_req_key + 10 < now.tv_sec) {
940 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
941 sptps_stop(&n->sptps);
942 n->status.waitingforkey = false;
949 // This function tries to establish a UDP tunnel to a node so that packets can be sent.
950 // If a tunnel is already established, it makes sure it stays up.
951 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
952 static void try_udp(node_t* n) {
957 gettimeofday(&now, NULL);
958 struct timeval ping_tx_elapsed;
959 timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
961 if(ping_tx_elapsed.tv_sec >= udp_discovery_interval) {
962 send_udp_probe_packet(n, MAX(n->minmtu, 16));
963 n->udp_ping_sent = now;
965 if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
966 n->status.send_locally = true;
967 send_udp_probe_packet(n, 16);
968 n->status.send_locally = false;
973 // This function tries to establish a tunnel to a node (or its relay) so that packets can be sent (e.g. get SPTPS keys).
974 // If a tunnel is already established, it tries to improve it (e.g. by trying to establish a UDP tunnel instead of TCP).
975 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if TCP and/or UDP is usable.
976 // By calling this function repeatedly, the tunnel is gradually improved until we hit the wall imposed by the underlying network environment.
977 // It is recommended to call this function every time a packet is sent (or intended to be sent) to a node,
978 // so that the tunnel keeps improving as packets flow, and then gracefully downgrades itself as it goes idle.
979 static void try_tx(node_t *n) {
980 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
981 messages anyway, so there's no need for SPTPS at all. Otherwise, get the keys. */
982 if(n->status.sptps && !(n->connection && ((myself->options | n->options) & OPTION_TCPONLY))) {
984 if (!n->status.validkey)
988 node_t *via = (n->via == myself) ? n->nexthop : n->via;
990 if((myself->options | via->options) & OPTION_TCPONLY)
993 if(!n->status.sptps && !via->status.validkey && via->last_req_key + 10 <= now.tv_sec) {
995 via->last_req_key = now.tv_sec;
996 } else if(via == n || !n->status.sptps || (via->options >> 24) >= 4)
999 /* If we don't know how to reach "via" yet, then try to reach it through a relay. */
1000 if(n->status.sptps && !via->status.udp_confirmed && via->nexthop != via && (via->nexthop->options >> 24) >= 4)
1001 try_tx(via->nexthop);
1005 send a packet to the given vpn ip.
1007 void send_packet(node_t *n, vpn_packet_t *packet) {
1012 memcpy(DATA(packet), mymac.x, ETH_ALEN);
1014 n->out_bytes += packet->len;
1015 devops.write(packet);
1019 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
1020 packet->len, n->name, n->hostname);
1022 if(!n->status.reachable) {
1023 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
1024 n->name, n->hostname);
1029 n->out_bytes += packet->len;
1031 if(n->status.sptps) {
1032 send_sptps_packet(n, packet);
1036 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1039 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
1040 n->name, via->name, n->via->hostname);
1042 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1043 if(!send_tcppacket(via->connection, packet))
1044 terminate_connection(via->connection, true);
1046 send_udppacket(via, packet);
1049 /* Try to improve the tunnel.
1050 Note that we do this *after* we send the packet because sending actual packets take priority
1051 with regard to the send buffer space and latency. */
1055 /* Broadcast a packet using the minimum spanning tree */
1057 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1058 // Always give ourself a copy of the packet.
1060 send_packet(myself, packet);
1062 // In TunnelServer mode, do not forward broadcast packets.
1063 // The MST might not be valid and create loops.
1064 if(tunnelserver || broadcast_mode == BMODE_NONE)
1067 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1068 packet->len, from->name, from->hostname);
1070 switch(broadcast_mode) {
1071 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1072 // This guarantees all nodes receive the broadcast packet, and
1073 // usually distributes the sending of broadcast packets over all nodes.
1075 for list_each(connection_t, c, connection_list)
1076 if(c->edge && c->status.mst && c != from->nexthop->connection)
1077 send_packet(c->node, packet);
1080 // In direct mode, we send copies to each node we know of.
1081 // However, this only reaches nodes that can be reached in a single hop.
1082 // We don't have enough information to forward broadcast packets in this case.
1087 for splay_each(node_t, n, node_tree)
1088 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
1089 send_packet(n, packet);
1097 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1100 static time_t last_hard_try = 0;
1102 for splay_each(edge_t, e, edge_weight_tree) {
1103 if(!e->to->status.reachable || e->to == myself)
1106 if(sockaddrcmp_noport(from, &e->address)) {
1107 if(last_hard_try == now.tv_sec)
1112 if(!try_mac(e->to, pkt))
1120 last_hard_try = now.tv_sec;
1122 last_hard_try = now.tv_sec;
1126 void handle_incoming_vpn_data(void *data, int flags) {
1127 listen_socket_t *ls = data;
1130 node_id_t nullid = {};
1131 sockaddr_t addr = {};
1132 socklen_t addrlen = sizeof addr;
1134 bool direct = false;
1137 int len = recvfrom(ls->udp.fd, DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1139 if(len <= 0 || len > MAXSIZE) {
1140 if(!sockwouldblock(sockerrno))
1141 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1147 sockaddrunmap(&addr); /* Some braindead IPv6 implementations do stupid things. */
1149 // Try to figure out who sent this packet.
1151 node_t *n = lookup_node_udp(&addr);
1154 // It might be from a 1.1 node, which might have a source ID in the packet.
1155 pkt.offset = 2 * sizeof(node_id_t);
1156 from = lookup_node_id(SRCID(&pkt));
1157 if(from && !memcmp(DSTID(&pkt), &nullid, sizeof nullid) && from->status.sptps) {
1158 if(sptps_verify_datagram(&from->sptps, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t)))
1167 n = try_harder(&addr, &pkt);
1172 if(debug_level >= DEBUG_PROTOCOL) {
1173 hostname = sockaddr2hostname(&addr);
1174 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1180 if(n->status.sptps) {
1181 pkt.offset = 2 * sizeof(node_id_t);
1183 if(!memcmp(DSTID(&pkt), &nullid, sizeof nullid)) {
1188 from = lookup_node_id(SRCID(&pkt));
1189 to = lookup_node_id(DSTID(&pkt));
1192 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1197 send_sptps_data_priv(to, n, 0, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t));
1206 if(!receive_udppacket(from, &pkt))
1209 n->sock = ls - listen_socket;
1210 if(direct && sockaddrcmp(&addr, &n->address))
1211 update_node_udp(n, &addr);
1214 void handle_device_data(void *data, int flags) {
1215 vpn_packet_t packet;
1216 packet.offset = DEFAULT_PACKET_OFFSET;
1217 packet.priority = 0;
1219 if(devops.read(&packet)) {
1220 myself->in_packets++;
1221 myself->in_bytes += packet.len;
1222 route(myself, &packet);