2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35 #include "connection.h"
50 #define MAX(a, b) ((a) > (b) ? (a) : (b))
55 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
58 static void send_udppacket(node_t *, vpn_packet_t *);
60 unsigned replaywin = 16;
61 bool localdiscovery = true;
62 bool udp_discovery = true;
63 int udp_discovery_interval = 9;
64 int udp_discovery_timeout = 30;
66 #define MAX_SEQNO 1073741824
68 static void try_fix_mtu(node_t *n) {
72 if(n->mtuprobes == 90 || n->minmtu >= n->maxmtu) {
73 if(n->minmtu > n->maxmtu)
74 n->minmtu = n->maxmtu;
76 n->maxmtu = n->minmtu;
78 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
83 static void udp_probe_timeout_handler(void *data) {
85 if(!n->status.udp_confirmed)
88 logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
89 n->status.udp_confirmed = false;
95 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
96 if(!DATA(packet)[0]) {
97 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
99 /* It's a probe request, send back a reply */
101 /* Type 2 probe replies were introduced in protocol 17.3 */
102 if ((n->options >> 24) >= 3) {
103 uint8_t *data = DATA(packet);
105 uint16_t len16 = htons(len); memcpy(data, &len16, 2); data += 2;
107 gettimeofday(&now, NULL);
108 uint32_t sec = htonl(now.tv_sec); memcpy(data, &sec, 4); data += 4;
109 uint32_t usec = htonl(now.tv_usec); memcpy(data, &usec, 4); data += 4;
112 /* Legacy protocol: n won't understand type 2 probe replies. */
116 /* Temporarily set udp_confirmed, so that the reply is sent
117 back exactly the way it came in. */
119 bool udp_confirmed = n->status.udp_confirmed;
120 n->status.udp_confirmed = true;
121 send_udppacket(n, packet);
122 n->status.udp_confirmed = udp_confirmed;
124 length_t probelen = len;
125 if (DATA(packet)[0] == 2) {
127 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) UDP probe reply from %s (%s)", n->name, n->hostname);
129 uint16_t probelen16; memcpy(&probelen16, DATA(packet) + 1, 2); probelen = ntohs(probelen16);
132 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], probelen, n->name, n->hostname);
134 /* It's a valid reply: now we know bidirectional communication
135 is possible using the address and socket that the reply
137 n->status.udp_confirmed = true;
140 timeout_del(&n->udp_ping_timeout);
141 timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval){udp_discovery_timeout, 0});
144 if(probelen >= n->maxmtu + 8) {
145 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
151 /* If applicable, raise the minimum supported MTU */
153 if(probelen > n->maxmtu)
154 probelen = n->maxmtu;
155 if(n->minmtu < probelen) {
156 n->minmtu = probelen;
161 The RTT is the time between the MTU probe burst was sent and the first
165 struct timeval now, diff;
166 gettimeofday(&now, NULL);
167 timersub(&now, &n->probe_time, &diff);
169 struct timeval probe_timestamp = now;
170 if (DATA(packet)[0] == 2 && packet->len >= 11) {
171 uint32_t sec; memcpy(&sec, DATA(packet) + 3, 4);
172 uint32_t usec; memcpy(&usec, DATA(packet) + 7, 4);
173 probe_timestamp.tv_sec = ntohl(sec);
174 probe_timestamp.tv_usec = ntohl(usec);
179 if(n->probe_counter == 1) {
180 n->rtt = diff.tv_sec + diff.tv_usec * 1e-6;
181 n->probe_time = probe_timestamp;
182 logger(DEBUG_TRAFFIC, LOG_DEBUG, "%s (%s) RTT %.2f ms, rx packet loss %.2f %%", n->name, n->hostname, n->rtt * 1e3, n->packetloss * 1e2);
187 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
189 memcpy(dest, source, len);
191 } else if(level == 10) {
193 lzo_uint lzolen = MAXSIZE;
194 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
199 } else if(level < 10) {
201 unsigned long destlen = MAXSIZE;
202 if(compress2(dest, &destlen, source, len, level) == Z_OK)
209 lzo_uint lzolen = MAXSIZE;
210 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
220 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
222 memcpy(dest, source, len);
224 } else if(level > 9) {
226 lzo_uint lzolen = MAXSIZE;
227 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
235 unsigned long destlen = MAXSIZE;
236 if(uncompress(dest, &destlen, source, len) == Z_OK)
248 static void receive_packet(node_t *n, vpn_packet_t *packet) {
249 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
250 packet->len, n->name, n->hostname);
253 n->in_bytes += packet->len;
258 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
260 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
262 #ifdef DISABLE_LEGACY
265 if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
268 return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest));
272 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
273 vpn_packet_t pkt1, pkt2;
274 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
277 pkt1.offset = DEFAULT_PACKET_OFFSET;
278 pkt2.offset = DEFAULT_PACKET_OFFSET;
280 if(n->status.sptps) {
281 if(!n->sptps.state) {
282 if(!n->status.waitingforkey) {
283 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
286 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
290 inpkt->offset += 2 * sizeof(node_id_t);
291 if(!sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len - 2 * sizeof(node_id_t))) {
292 logger(DEBUG_TRAFFIC, LOG_ERR, "Got bad packet from %s (%s)", n->name, n->hostname);
298 #ifdef DISABLE_LEGACY
301 if(!n->status.validkey) {
302 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
306 /* Check packet length */
308 if(inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
309 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
310 n->name, n->hostname);
314 /* It's a legacy UDP packet, the data starts after the seqno */
316 inpkt->offset += sizeof(seqno_t);
318 /* Check the message authentication code */
320 if(digest_active(n->indigest)) {
321 inpkt->len -= digest_length(n->indigest);
322 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
323 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
327 /* Decrypt the packet */
329 if(cipher_active(n->incipher)) {
330 vpn_packet_t *outpkt = pkt[nextpkt++];
333 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
334 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
338 outpkt->len = outlen;
342 /* Check the sequence number */
345 memcpy(&seqno, SEQNO(inpkt), sizeof seqno);
346 seqno = ntohl(seqno);
347 inpkt->len -= sizeof seqno;
350 if(seqno != n->received_seqno + 1) {
351 if(seqno >= n->received_seqno + replaywin * 8) {
352 if(n->farfuture++ < replaywin >> 2) {
353 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
354 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
357 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
358 seqno - n->received_seqno - 1, n->name, n->hostname);
359 memset(n->late, 0, replaywin);
360 } else if (seqno <= n->received_seqno) {
361 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
362 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
363 n->name, n->hostname, seqno, n->received_seqno);
367 for(int i = n->received_seqno + 1; i < seqno; i++)
368 n->late[(i / 8) % replaywin] |= 1 << i % 8;
373 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
376 if(seqno > n->received_seqno)
377 n->received_seqno = seqno;
381 if(n->received_seqno > MAX_SEQNO)
384 /* Decompress the packet */
386 length_t origlen = inpkt->len;
388 if(n->incompression) {
389 vpn_packet_t *outpkt = pkt[nextpkt++];
391 if((outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression)) < 0) {
392 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
393 n->name, n->hostname);
399 origlen -= MTU/64 + 20;
404 if(!DATA(inpkt)[12] && !DATA(inpkt)[13])
405 udp_probe_h(n, inpkt, origlen);
407 receive_packet(n, inpkt);
412 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
414 outpkt.offset = DEFAULT_PACKET_OFFSET;
416 if(len > sizeof outpkt.data - outpkt.offset)
420 if(c->options & OPTION_TCPONLY)
423 outpkt.priority = -1;
424 memcpy(DATA(&outpkt), buffer, len);
426 receive_packet(c->node, &outpkt);
429 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
430 if(!n->status.validkey && !n->connection)
436 if(!(DATA(origpkt)[12] | DATA(origpkt)[13])) {
437 sptps_send_record(&n->sptps, PKT_PROBE, (char *)DATA(origpkt), origpkt->len);
441 if(routing_mode == RMODE_ROUTER)
446 if(origpkt->len < offset)
451 if(n->outcompression) {
453 int len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
455 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
456 } else if(len < origpkt->len - offset) {
457 outpkt.len = len + offset;
459 type |= PKT_COMPRESSED;
463 /* If we have a direct metaconnection to n, and we can't use UDP, then
464 don't bother with SPTPS and just use a "plaintext" PACKET message.
465 We don't really care about end-to-end security since we're not
466 sending the message through any intermediate nodes. */
467 if(n->connection && origpkt->len > n->minmtu)
468 send_tcppacket(n->connection, origpkt);
470 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
474 static void adapt_socket(const sockaddr_t *sa, int *sock) {
475 /* Make sure we have a suitable socket for the chosen address */
476 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
477 for(int i = 0; i < listen_sockets; i++) {
478 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
486 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
491 /* If the UDP address is confirmed, use it. */
492 if(n->status.udp_confirmed)
495 /* Send every third packet to n->address; that could be set
496 to the node's reflexive UDP address discovered during key
505 /* Otherwise, address are found in edges to this node.
506 So we pick a random edge and a random socket. */
509 int j = rand() % n->edge_tree->count;
510 edge_t *candidate = NULL;
512 for splay_each(edge_t, e, n->edge_tree) {
514 candidate = e->reverse;
520 *sa = &candidate->address;
521 *sock = rand() % listen_sockets;
524 adapt_socket(*sa, sock);
527 static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
530 /* Pick one of the edges from this node at random, then use its local address. */
533 int j = rand() % n->edge_tree->count;
534 edge_t *candidate = NULL;
536 for splay_each(edge_t, e, n->edge_tree) {
543 if (candidate && candidate->local_address.sa.sa_family) {
544 *sa = &candidate->local_address;
545 *sock = rand() % listen_sockets;
546 adapt_socket(*sa, sock);
550 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
551 vpn_packet_t pkt1, pkt2;
552 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
553 vpn_packet_t *inpkt = origpkt;
555 vpn_packet_t *outpkt;
556 int origlen = origpkt->len;
558 #if defined(SOL_IP) && defined(IP_TOS)
559 static int priority = 0;
560 int origpriority = origpkt->priority;
563 pkt1.offset = DEFAULT_PACKET_OFFSET;
564 pkt2.offset = DEFAULT_PACKET_OFFSET;
566 if(!n->status.reachable) {
567 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
572 return send_sptps_packet(n, origpkt);
574 #ifdef DISABLE_LEGACY
577 /* Make sure we have a valid key */
579 if(!n->status.validkey) {
580 logger(DEBUG_TRAFFIC, LOG_INFO,
581 "No valid key known yet for %s (%s), forwarding via TCP",
582 n->name, n->hostname);
583 send_tcppacket(n->nexthop->connection, origpkt);
587 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
588 logger(DEBUG_TRAFFIC, LOG_INFO,
589 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
590 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
593 send_packet(n->nexthop, origpkt);
595 send_tcppacket(n->nexthop->connection, origpkt);
600 /* Compress the packet */
602 if(n->outcompression) {
603 outpkt = pkt[nextpkt++];
605 if((outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression)) < 0) {
606 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
607 n->name, n->hostname);
614 /* Add sequence number */
616 seqno_t seqno = htonl(++(n->sent_seqno));
617 memcpy(SEQNO(inpkt), &seqno, sizeof seqno);
618 inpkt->len += sizeof seqno;
620 /* Encrypt the packet */
622 if(cipher_active(n->outcipher)) {
623 outpkt = pkt[nextpkt++];
626 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
627 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
631 outpkt->len = outlen;
635 /* Add the message authentication code */
637 if(digest_active(n->outdigest)) {
638 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
639 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
643 inpkt->len += digest_length(n->outdigest);
646 /* Send the packet */
648 const sockaddr_t *sa = NULL;
651 if(n->status.send_locally)
652 choose_local_address(n, &sa, &sock);
654 choose_udp_address(n, &sa, &sock);
656 #if defined(SOL_IP) && defined(IP_TOS)
657 if(priorityinheritance && origpriority != priority
658 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
659 priority = origpriority;
660 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
661 if(setsockopt(listen_socket[n->sock].udp.fd, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
662 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
666 if(sendto(listen_socket[sock].udp.fd, SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
667 if(sockmsgsize(sockerrno)) {
668 if(n->maxmtu >= origlen)
669 n->maxmtu = origlen - 1;
670 if(n->mtu >= origlen)
671 n->mtu = origlen - 1;
674 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
678 origpkt->len = origlen;
682 static bool send_sptps_data_priv(node_t *to, node_t *from, int type, const void *data, size_t len) {
683 node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
684 bool direct = from == myself && to == relay;
685 bool relay_supported = (relay->options >> 24) >= 4;
686 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
688 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU.
689 TODO: When relaying, the original sender does not know the end-to-end PMTU (it only knows the PMTU of the first hop).
690 This can lead to scenarios where large packets are sent over UDP to relay, but then relay has no choice but fall back to TCP. */
692 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
693 char buf[len * 4 / 3 + 5];
694 b64encode(data, buf, len);
695 /* If no valid key is known yet, send the packets using ANS_KEY requests,
696 to ensure we get to learn the reflexive UDP address. */
697 if(from == myself && !to->status.validkey) {
698 to->incompression = myself->incompression;
699 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
701 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, REQ_SPTPS, buf);
706 if(relay_supported) overhead += sizeof to->id + sizeof from->id;
707 char buf[len + overhead]; char* buf_ptr = buf;
708 if(relay_supported) {
710 /* Inform the recipient that this packet was sent directly. */
711 node_id_t nullid = {};
712 memcpy(buf_ptr, &nullid, sizeof nullid); buf_ptr += sizeof nullid;
714 memcpy(buf_ptr, &to->id, sizeof to->id); buf_ptr += sizeof to->id;
716 memcpy(buf_ptr, &from->id, sizeof from->id); buf_ptr += sizeof from->id;
719 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
720 memcpy(buf_ptr, data, len); buf_ptr += len;
722 const sockaddr_t *sa = NULL;
724 if(relay->status.send_locally)
725 choose_local_address(relay, &sa, &sock);
727 choose_udp_address(relay, &sa, &sock);
728 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
729 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
730 if(sockmsgsize(sockerrno)) {
731 // Compensate for SPTPS overhead
732 len -= SPTPS_DATAGRAM_OVERHEAD;
733 if(relay->maxmtu >= len)
734 relay->maxmtu = len - 1;
735 if(relay->mtu >= len)
736 relay->mtu = len - 1;
739 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
747 bool send_sptps_data(void *handle, uint8_t type, const void *data, size_t len) {
748 return send_sptps_data_priv(handle, myself, type, data, len);
751 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
752 node_t *from = handle;
754 if(type == SPTPS_HANDSHAKE) {
755 if(!from->status.validkey) {
756 from->status.validkey = true;
757 from->status.waitingforkey = false;
758 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
764 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
769 inpkt.offset = DEFAULT_PACKET_OFFSET;
771 if(type == PKT_PROBE) {
773 memcpy(DATA(&inpkt), data, len);
774 udp_probe_h(from, &inpkt, len);
778 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
779 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
783 /* Check if we have the headers we need */
784 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
785 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
787 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
788 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
791 int offset = (type & PKT_MAC) ? 0 : 14;
792 if(type & PKT_COMPRESSED) {
793 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
797 inpkt.len = ulen + offset;
799 if(inpkt.len > MAXSIZE)
802 memcpy(DATA(&inpkt) + offset, data, len);
803 inpkt.len = len + offset;
806 /* Generate the Ethernet packet type if necessary */
808 switch(DATA(&inpkt)[14] >> 4) {
810 DATA(&inpkt)[12] = 0x08;
811 DATA(&inpkt)[13] = 0x00;
814 DATA(&inpkt)[12] = 0x86;
815 DATA(&inpkt)[13] = 0xDD;
818 logger(DEBUG_TRAFFIC, LOG_ERR,
819 "Unknown IP version %d while reading packet from %s (%s)",
820 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
825 receive_packet(from, &inpkt);
829 // This function tries to get SPTPS keys, if they aren't already known.
830 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
831 static void try_sptps(node_t *n) {
832 if(n->status.validkey)
835 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
837 if(!n->status.waitingforkey)
839 else if(n->last_req_key + 10 < now.tv_sec) {
840 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
841 sptps_stop(&n->sptps);
842 n->status.waitingforkey = false;
849 static void send_udp_probe_packet(node_t *n, int len) {
851 packet.offset = DEFAULT_PACKET_OFFSET;
852 memset(DATA(&packet), 0, 14);
853 randomize(DATA(&packet) + 14, len - 14);
857 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %d to %s (%s)", len, n->name, n->hostname);
859 send_udppacket(n, &packet);
862 // This function tries to establish a UDP tunnel to a node so that packets can be sent.
863 // If a tunnel is already established, it makes sure it stays up.
864 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
865 static void try_udp(node_t* n) {
870 gettimeofday(&now, NULL);
871 struct timeval ping_tx_elapsed;
872 timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
874 if(ping_tx_elapsed.tv_sec >= udp_discovery_interval) {
875 send_udp_probe_packet(n, MAX(n->minmtu, 16));
876 n->udp_ping_sent = now;
878 if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
879 n->status.send_locally = true;
880 send_udp_probe_packet(n, 16);
881 n->status.send_locally = false;
886 // This function tries to determines the MTU of a node.
887 // By calling this function repeatedly, n->minmtu will be progressively increased, and at some point, n->mtu will be fixed to n->minmtu.
888 // If the MTU is already fixed, this function checks if it can be increased.
889 static void try_mtu(node_t *n) {
890 if(!(n->options & OPTION_PMTU_DISCOVERY))
893 if(udp_discovery && !n->status.udp_confirmed) {
900 /* mtuprobes == 0..89: initial discovery, send bursts with 1 second interval, mtuprobes++
901 mtuprobes == 90: fix MTU, and go to -1
902 mtuprobes == -1: send one >maxmtu probe every pingtimeout */
905 gettimeofday(&now, NULL);
906 struct timeval elapsed;
907 timersub(&now, &n->probe_sent_time, &elapsed);
908 if(n->mtuprobes >= 0) {
909 if(n->mtuprobes != 0 && elapsed.tv_sec == 0 && elapsed.tv_usec < 333333)
912 if(elapsed.tv_sec < pingtimeout)
919 if(n->mtuprobes < 0) {
920 /* After the initial discovery, we only send one >maxmtu probe
921 to detect PMTU increases. */
922 if(n->maxmtu + 8 < MTU)
923 send_udp_probe_packet(n, n->maxmtu + 8);
925 /* Probes are sent with random sizes between the
926 lower and upper boundaries for the MTU thus far discovered. */
928 if(n->minmtu < n->maxmtu)
929 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
930 send_udp_probe_packet(n, MAX(len, 64));
932 if(n->mtuprobes >= 0)
936 n->probe_counter = 0;
937 n->probe_sent_time = now;
940 /* Calculate the packet loss of incoming traffic by comparing the rate of
941 packets received to the rate with which the sequence number has increased.
942 TODO: this is unrelated to PMTU discovery - it should be moved elsewhere.
945 if(n->received > n->prev_received)
946 n->packetloss = 1.0 - (n->received - n->prev_received) / (float)(n->received_seqno - n->prev_received_seqno);
948 n->packetloss = n->received_seqno <= n->prev_received_seqno;
950 n->prev_received_seqno = n->received_seqno;
951 n->prev_received = n->received;
954 // This function tries to establish a tunnel to a node (or its relay) so that packets can be sent (e.g. get SPTPS keys).
955 // If a tunnel is already established, it tries to improve it (e.g. by trying to establish a UDP tunnel instead of TCP).
956 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if TCP and/or UDP is usable.
957 // By calling this function repeatedly, the tunnel is gradually improved until we hit the wall imposed by the underlying network environment.
958 // It is recommended to call this function every time a packet is sent (or intended to be sent) to a node,
959 // so that the tunnel keeps improving as packets flow, and then gracefully downgrades itself as it goes idle.
960 static void try_tx(node_t *n) {
961 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
962 messages anyway, so there's no need for SPTPS at all. Otherwise, get the keys. */
963 if(n->status.sptps && !(n->connection && ((myself->options | n->options) & OPTION_TCPONLY))) {
965 if (!n->status.validkey)
969 node_t *via = (n->via == myself) ? n->nexthop : n->via;
971 if((myself->options | via->options) & OPTION_TCPONLY)
974 if(!n->status.sptps && !via->status.validkey && via->last_req_key + 10 <= now.tv_sec) {
976 via->last_req_key = now.tv_sec;
977 } else if(via == n || !n->status.sptps || (via->options >> 24) >= 4) {
982 /* If we don't know how to reach "via" yet, then try to reach it through a relay. */
983 if(n->status.sptps && !via->status.udp_confirmed && via->nexthop != via && (via->nexthop->options >> 24) >= 4)
984 try_tx(via->nexthop);
988 send a packet to the given vpn ip.
990 void send_packet(node_t *n, vpn_packet_t *packet) {
995 memcpy(DATA(packet), mymac.x, ETH_ALEN);
997 n->out_bytes += packet->len;
998 devops.write(packet);
1002 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
1003 packet->len, n->name, n->hostname);
1005 if(!n->status.reachable) {
1006 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
1007 n->name, n->hostname);
1012 n->out_bytes += packet->len;
1014 if(n->status.sptps) {
1015 send_sptps_packet(n, packet);
1019 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1022 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
1023 n->name, via->name, n->via->hostname);
1025 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1026 if(!send_tcppacket(via->connection, packet))
1027 terminate_connection(via->connection, true);
1029 send_udppacket(via, packet);
1032 /* Try to improve the tunnel.
1033 Note that we do this *after* we send the packet because sending actual packets take priority
1034 with regard to the send buffer space and latency. */
1038 /* Broadcast a packet using the minimum spanning tree */
1040 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1041 // Always give ourself a copy of the packet.
1043 send_packet(myself, packet);
1045 // In TunnelServer mode, do not forward broadcast packets.
1046 // The MST might not be valid and create loops.
1047 if(tunnelserver || broadcast_mode == BMODE_NONE)
1050 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1051 packet->len, from->name, from->hostname);
1053 switch(broadcast_mode) {
1054 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1055 // This guarantees all nodes receive the broadcast packet, and
1056 // usually distributes the sending of broadcast packets over all nodes.
1058 for list_each(connection_t, c, connection_list)
1059 if(c->edge && c->status.mst && c != from->nexthop->connection)
1060 send_packet(c->node, packet);
1063 // In direct mode, we send copies to each node we know of.
1064 // However, this only reaches nodes that can be reached in a single hop.
1065 // We don't have enough information to forward broadcast packets in this case.
1070 for splay_each(node_t, n, node_tree)
1071 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
1072 send_packet(n, packet);
1080 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1083 static time_t last_hard_try = 0;
1085 for splay_each(edge_t, e, edge_weight_tree) {
1086 if(!e->to->status.reachable || e->to == myself)
1089 if(sockaddrcmp_noport(from, &e->address)) {
1090 if(last_hard_try == now.tv_sec)
1095 if(!try_mac(e->to, pkt))
1103 last_hard_try = now.tv_sec;
1105 last_hard_try = now.tv_sec;
1109 void handle_incoming_vpn_data(void *data, int flags) {
1110 listen_socket_t *ls = data;
1113 node_id_t nullid = {};
1114 sockaddr_t addr = {};
1115 socklen_t addrlen = sizeof addr;
1117 bool direct = false;
1120 int len = recvfrom(ls->udp.fd, DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1122 if(len <= 0 || len > MAXSIZE) {
1123 if(!sockwouldblock(sockerrno))
1124 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1130 sockaddrunmap(&addr); /* Some braindead IPv6 implementations do stupid things. */
1132 // Try to figure out who sent this packet.
1134 node_t *n = lookup_node_udp(&addr);
1137 // It might be from a 1.1 node, which might have a source ID in the packet.
1138 pkt.offset = 2 * sizeof(node_id_t);
1139 from = lookup_node_id(SRCID(&pkt));
1140 if(from && !memcmp(DSTID(&pkt), &nullid, sizeof nullid) && from->status.sptps) {
1141 if(sptps_verify_datagram(&from->sptps, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t)))
1150 n = try_harder(&addr, &pkt);
1155 if(debug_level >= DEBUG_PROTOCOL) {
1156 hostname = sockaddr2hostname(&addr);
1157 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1163 if(n->status.sptps) {
1164 pkt.offset = 2 * sizeof(node_id_t);
1166 if(!memcmp(DSTID(&pkt), &nullid, sizeof nullid)) {
1171 from = lookup_node_id(SRCID(&pkt));
1172 to = lookup_node_id(DSTID(&pkt));
1175 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1180 send_sptps_data_priv(to, n, 0, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t));
1189 if(!receive_udppacket(from, &pkt))
1192 n->sock = ls - listen_socket;
1193 if(direct && sockaddrcmp(&addr, &n->address))
1194 update_node_udp(n, &addr);
1197 void handle_device_data(void *data, int flags) {
1198 vpn_packet_t packet;
1199 packet.offset = DEFAULT_PACKET_OFFSET;
1200 packet.priority = 0;
1202 if(devops.read(&packet)) {
1203 myself->in_packets++;
1204 myself->in_bytes += packet.len;
1205 route(myself, &packet);