2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2013 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 #include <openssl/rand.h>
26 #include <openssl/err.h>
27 #include <openssl/evp.h>
28 #include <openssl/pem.h>
29 #include <openssl/hmac.h>
41 #include "connection.h"
58 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
61 static void send_udppacket(node_t *, vpn_packet_t *);
63 unsigned replaywin = 16;
64 bool localdiscovery = false;
66 #define MAX_SEQNO 1073741824
68 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
69 mtuprobes == 31: sleep pinginterval seconds
70 mtuprobes == 32: send 1 burst, sleep pingtimeout second
71 mtuprobes == 33: no response from other side, restart PMTU discovery process
73 Probes are sent in batches of at least three, with random sizes between the
74 lower and upper boundaries for the MTU thus far discovered.
76 After the initial discovery, a fourth packet is added to each batch with a
77 size larger than the currently known PMTU, to test if the PMTU has increased.
79 In case local discovery is enabled, another packet is added to each batch,
80 which will be broadcast to the local network.
84 static void send_mtu_probe_handler(void *data) {
90 if(!n->status.reachable || !n->status.validkey) {
91 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
96 if(n->mtuprobes > 32) {
99 timeout = pinginterval;
103 logger(DEBUG_TRAFFIC, LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
104 n->status.udp_confirmed = false;
110 if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
111 logger(DEBUG_TRAFFIC, LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
115 if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
116 if(n->minmtu > n->maxmtu)
117 n->minmtu = n->maxmtu;
119 n->maxmtu = n->minmtu;
121 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
125 if(n->mtuprobes == 31) {
126 timeout = pinginterval;
128 } else if(n->mtuprobes == 32) {
129 timeout = pingtimeout;
132 for(int i = 0; i < 4 + localdiscovery; i++) {
136 if(n->mtuprobes < 30 || n->maxmtu + 8 >= MTU)
139 } else if(n->maxmtu <= n->minmtu) {
142 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
149 memset(packet.data, 0, 14);
150 randomize(packet.data + 14, len - 14);
152 if(i >= 4 && n->mtuprobes <= 10)
153 packet.priority = -1;
157 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
159 send_udppacket(n, &packet);
162 n->probe_counter = 0;
163 gettimeofday(&n->probe_time, NULL);
165 /* Calculate the packet loss of incoming traffic by comparing the rate of
166 packets received to the rate with which the sequence number has increased.
169 if(n->received > n->prev_received)
170 n->packetloss = 1.0 - (n->received - n->prev_received) / (float)(n->received_seqno - n->prev_received_seqno);
172 n->packetloss = n->received_seqno <= n->prev_received_seqno;
174 n->prev_received_seqno = n->received_seqno;
175 n->prev_received = n->received;
178 timeout_set(&n->mtutimeout, &(struct timeval){timeout, rand() % 100000});
181 void send_mtu_probe(node_t *n) {
182 timeout_add(&n->mtutimeout, send_mtu_probe_handler, n, &(struct timeval){1, 0});
183 send_mtu_probe_handler(n);
186 static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
187 logger(DEBUG_TRAFFIC, LOG_INFO, "Got MTU probe length %d from %s (%s)", packet->len, n->name, n->hostname);
189 if(!packet->data[0]) {
190 /* It's a probe request, send back a reply */
194 /* Temporarily set udp_confirmed, so that the reply is sent
195 back exactly the way it came in. */
197 bool udp_confirmed = n->status.udp_confirmed;
198 n->status.udp_confirmed = true;
199 send_udppacket(n, packet);
200 n->status.udp_confirmed = udp_confirmed;
202 /* It's a valid reply: now we know bidirectional communication
203 is possible using the address and socket that the reply
206 n->status.udp_confirmed = true;
208 /* If we haven't established the PMTU yet, restart the discovery process. */
210 if(n->mtuprobes > 30) {
211 if (len == n->maxmtu + 8) {
212 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
224 /* If applicable, raise the minimum supported MTU */
231 /* Calculate RTT and bandwidth.
232 The RTT is the time between the MTU probe burst was sent and the first
233 reply is received. The bandwidth is measured using the time between the
234 arrival of the first and third probe reply.
237 struct timeval now, diff;
238 gettimeofday(&now, NULL);
239 timersub(&now, &n->probe_time, &diff);
242 if(n->probe_counter == 1) {
243 n->rtt = diff.tv_sec + diff.tv_usec * 1e-6;
245 } else if(n->probe_counter == 3) {
246 n->bandwidth = 2.0 * len / (diff.tv_sec + diff.tv_usec * 1e-6);
247 logger(DEBUG_TRAFFIC, LOG_DEBUG, "%s (%s) RTT %.2f ms, burst bandwidth %.3f Mbit/s, rx packet loss %.2f %%", n->name, n->hostname, n->rtt * 1e3, n->bandwidth * 8e-6, n->packetloss * 1e2);
252 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
254 memcpy(dest, source, len);
256 } else if(level == 10) {
258 lzo_uint lzolen = MAXSIZE;
259 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
264 } else if(level < 10) {
266 unsigned long destlen = MAXSIZE;
267 if(compress2(dest, &destlen, source, len, level) == Z_OK)
274 lzo_uint lzolen = MAXSIZE;
275 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
285 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
287 memcpy(dest, source, len);
289 } else if(level > 9) {
291 lzo_uint lzolen = MAXSIZE;
292 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
300 unsigned long destlen = MAXSIZE;
301 if(uncompress(dest, &destlen, source, len) == Z_OK)
313 static void receive_packet(node_t *n, vpn_packet_t *packet) {
314 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
315 packet->len, n->name, n->hostname);
318 n->in_bytes += packet->len;
323 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
325 return sptps_verify_datagram(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
327 if(!digest_active(&n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest))
330 return digest_verify(&n->indigest, &inpkt->seqno, inpkt->len - n->indigest.maclength, (const char *)&inpkt->seqno + inpkt->len - n->indigest.maclength);
333 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
334 vpn_packet_t pkt1, pkt2;
335 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
337 vpn_packet_t *outpkt = pkt[0];
340 if(n->status.sptps) {
341 sptps_receive_data(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
345 if(!cipher_active(&n->incipher)) {
346 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
347 n->name, n->hostname);
351 /* Check packet length */
353 if(inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest)) {
354 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
355 n->name, n->hostname);
359 /* Check the message authentication code */
361 if(digest_active(&n->indigest)) {
362 inpkt->len -= n->indigest.maclength;
363 if(!digest_verify(&n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
364 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
368 /* Decrypt the packet */
370 if(cipher_active(&n->incipher)) {
371 outpkt = pkt[nextpkt++];
374 if(!cipher_decrypt(&n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
375 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
379 outpkt->len = outlen;
383 /* Check the sequence number */
385 inpkt->len -= sizeof inpkt->seqno;
386 inpkt->seqno = ntohl(inpkt->seqno);
389 if(inpkt->seqno != n->received_seqno + 1) {
390 if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
391 if(n->farfuture++ < replaywin >> 2) {
392 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
393 n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
396 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
397 inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
398 memset(n->late, 0, replaywin);
399 } else if (inpkt->seqno <= n->received_seqno) {
400 if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
401 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
402 n->name, n->hostname, inpkt->seqno, n->received_seqno);
406 for(int i = n->received_seqno + 1; i < inpkt->seqno; i++)
407 n->late[(i / 8) % replaywin] |= 1 << i % 8;
412 n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8);
415 if(inpkt->seqno > n->received_seqno)
416 n->received_seqno = inpkt->seqno;
420 if(n->received_seqno > MAX_SEQNO)
423 /* Decompress the packet */
425 length_t origlen = inpkt->len;
427 if(n->incompression) {
428 outpkt = pkt[nextpkt++];
430 if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) {
431 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
432 n->name, n->hostname);
438 origlen -= MTU/64 + 20;
443 if(!inpkt->data[12] && !inpkt->data[13])
444 mtu_probe_h(n, inpkt, origlen);
446 receive_packet(n, inpkt);
449 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
453 if(c->options & OPTION_TCPONLY)
456 outpkt.priority = -1;
457 memcpy(outpkt.data, buffer, len);
459 receive_packet(c->node, &outpkt);
462 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
463 if(!n->status.validkey) {
464 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
465 if(!n->status.waitingforkey)
467 else if(n->last_req_key + 10 < time(NULL)) {
468 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
469 sptps_stop(&n->sptps);
470 n->status.waitingforkey = false;
479 if(!(origpkt->data[12] | origpkt->data[13])) {
480 sptps_send_record(&n->sptps, PKT_PROBE, (char *)origpkt->data, origpkt->len);
484 if(routing_mode == RMODE_ROUTER)
489 if(origpkt->len < offset)
494 if(n->outcompression) {
495 int len = compress_packet(outpkt.data + offset, origpkt->data + offset, origpkt->len - offset, n->outcompression);
497 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
498 } else if(len < origpkt->len - offset) {
499 outpkt.len = len + offset;
501 type |= PKT_COMPRESSED;
505 sptps_send_record(&n->sptps, type, (char *)origpkt->data + offset, origpkt->len - offset);
509 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
514 /* If the UDP address is confirmed, use it. */
515 if(n->status.udp_confirmed)
518 /* Send every third packet to n->address; that could be set
519 to the node's reflexive UDP address discovered during key
528 /* Otherwise, address are found in edges to this node.
529 So we pick a random edge and a random socket. */
532 int j = rand() % n->edge_tree->count;
533 edge_t *candidate = NULL;
535 for splay_each(edge_t, e, n->edge_tree) {
537 candidate = e->reverse;
543 *sa = &candidate->address;
544 *sock = rand() % listen_sockets;
547 /* Make sure we have a suitable socket for the chosen address */
548 if(listen_socket[*sock].sa.sa.sa_family != (*sa)->sa.sa_family) {
549 for(int i = 0; i < listen_sockets; i++) {
550 if(listen_socket[i].sa.sa.sa_family == (*sa)->sa.sa_family) {
558 static void choose_broadcast_address(const node_t *n, const sockaddr_t **sa, int *sock) {
559 static sockaddr_t broadcast_ipv4 = {
561 .sin_family = AF_INET,
562 .sin_addr.s_addr = -1,
566 static sockaddr_t broadcast_ipv6 = {
568 .sin6_family = AF_INET6,
569 .sin6_addr.s6_addr[0x0] = 0xff,
570 .sin6_addr.s6_addr[0x1] = 0x02,
571 .sin6_addr.s6_addr[0xf] = 0x01,
575 *sock = rand() % listen_sockets;
577 if(listen_socket[*sock].sa.sa.sa_family == AF_INET6) {
578 broadcast_ipv6.in6.sin6_port = n->prevedge->address.in.sin_port;
579 broadcast_ipv6.in6.sin6_scope_id = listen_socket[*sock].sa.in6.sin6_scope_id;
580 *sa = &broadcast_ipv6;
582 broadcast_ipv4.in.sin_port = n->prevedge->address.in.sin_port;
583 *sa = &broadcast_ipv4;
587 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
588 vpn_packet_t pkt1, pkt2;
589 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
590 vpn_packet_t *inpkt = origpkt;
592 vpn_packet_t *outpkt;
593 int origlen = origpkt->len;
595 #if defined(SOL_IP) && defined(IP_TOS)
596 static int priority = 0;
598 int origpriority = origpkt->priority;
600 if(!n->status.reachable) {
601 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
606 return send_sptps_packet(n, origpkt);
608 /* Make sure we have a valid key */
610 if(!n->status.validkey) {
611 logger(DEBUG_TRAFFIC, LOG_INFO,
612 "No valid key known yet for %s (%s), forwarding via TCP",
613 n->name, n->hostname);
615 if(n->last_req_key + 10 <= now.tv_sec) {
617 n->last_req_key = now.tv_sec;
620 send_tcppacket(n->nexthop->connection, origpkt);
625 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
626 logger(DEBUG_TRAFFIC, LOG_INFO,
627 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
628 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
631 send_packet(n->nexthop, origpkt);
633 send_tcppacket(n->nexthop->connection, origpkt);
638 /* Compress the packet */
640 if(n->outcompression) {
641 outpkt = pkt[nextpkt++];
643 if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) {
644 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
645 n->name, n->hostname);
652 /* Add sequence number */
654 inpkt->seqno = htonl(++(n->sent_seqno));
655 inpkt->len += sizeof inpkt->seqno;
657 /* Encrypt the packet */
659 if(cipher_active(&n->outcipher)) {
660 outpkt = pkt[nextpkt++];
663 if(!cipher_encrypt(&n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
664 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
668 outpkt->len = outlen;
672 /* Add the message authentication code */
674 if(digest_active(&n->outdigest)) {
675 digest_create(&n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len);
676 inpkt->len += digest_length(&n->outdigest);
679 /* Send the packet */
681 const sockaddr_t *sa;
684 /* Overloaded use of priority field: -1 means local broadcast */
686 if(origpriority == -1 && n->prevedge)
687 choose_broadcast_address(n, &sa, &sock);
689 choose_udp_address(n, &sa, &sock);
691 #if defined(SOL_IP) && defined(IP_TOS)
692 if(priorityinheritance && origpriority != priority
693 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
694 priority = origpriority;
695 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
696 if(setsockopt(listen_socket[n->sock].udp.fd, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
697 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
701 if(sendto(listen_socket[sock].udp.fd, (char *) &inpkt->seqno, inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
702 if(sockmsgsize(sockerrno)) {
703 if(n->maxmtu >= origlen)
704 n->maxmtu = origlen - 1;
705 if(n->mtu >= origlen)
706 n->mtu = origlen - 1;
708 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
712 origpkt->len = origlen;
715 bool send_sptps_data(void *handle, uint8_t type, const char *data, size_t len) {
718 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, or this packet is larger than the MTU. */
720 if(type >= SPTPS_HANDSHAKE || ((myself->options | to->options) & OPTION_TCPONLY) || (type != PKT_PROBE && len > to->minmtu)) {
721 char buf[len * 4 / 3 + 5];
722 b64encode(data, buf, len);
723 /* If no valid key is known yet, send the packets using ANS_KEY requests,
724 to ensure we get to learn the reflexive UDP address. */
725 if(!to->status.validkey)
726 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, myself->name, to->name, buf, myself->incompression);
728 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, myself->name, to->name, REQ_SPTPS, buf);
731 /* Otherwise, send the packet via UDP */
733 const sockaddr_t *sa;
736 choose_udp_address(to, &sa, &sock);
738 if(sendto(listen_socket[sock].udp.fd, data, len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
739 if(sockmsgsize(sockerrno)) {
740 if(to->maxmtu >= len)
741 to->maxmtu = len - 1;
745 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", to->name, to->hostname, sockstrerror(sockerrno));
753 bool receive_sptps_record(void *handle, uint8_t type, const char *data, uint16_t len) {
754 node_t *from = handle;
756 if(type == SPTPS_HANDSHAKE) {
757 if(!from->status.validkey) {
758 from->status.validkey = true;
759 from->status.waitingforkey = false;
760 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
766 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
772 if(type == PKT_PROBE) {
774 memcpy(inpkt.data, data, len);
775 mtu_probe_h(from, &inpkt, len);
779 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
780 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
784 /* Check if we have the headers we need */
785 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
786 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
788 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
789 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
792 int offset = (type & PKT_MAC) ? 0 : 14;
793 if(type & PKT_COMPRESSED) {
794 length_t ulen = uncompress_packet(inpkt.data + offset, (const uint8_t *)data, len, from->incompression);
798 inpkt.len = ulen + offset;
800 if(inpkt.len > MAXSIZE)
803 memcpy(inpkt.data + offset, data, len);
804 inpkt.len = len + offset;
807 /* Generate the Ethernet packet type if necessary */
809 switch(inpkt.data[14] >> 4) {
811 inpkt.data[12] = 0x08;
812 inpkt.data[13] = 0x00;
815 inpkt.data[12] = 0x86;
816 inpkt.data[13] = 0xDD;
819 logger(DEBUG_TRAFFIC, LOG_ERR,
820 "Unknown IP version %d while reading packet from %s (%s)",
821 inpkt.data[14] >> 4, from->name, from->hostname);
826 receive_packet(from, &inpkt);
831 send a packet to the given vpn ip.
833 void send_packet(node_t *n, vpn_packet_t *packet) {
838 memcpy(packet->data, mymac.x, ETH_ALEN);
840 n->out_bytes += packet->len;
841 devops.write(packet);
845 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
846 packet->len, n->name, n->hostname);
848 if(!n->status.reachable) {
849 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
850 n->name, n->hostname);
855 n->out_bytes += packet->len;
857 if(n->status.sptps) {
858 send_sptps_packet(n, packet);
862 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
865 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
866 n->name, via->name, n->via->hostname);
868 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
869 if(!send_tcppacket(via->connection, packet))
870 terminate_connection(via->connection, true);
872 send_udppacket(via, packet);
875 /* Broadcast a packet using the minimum spanning tree */
877 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
878 // Always give ourself a copy of the packet.
880 send_packet(myself, packet);
882 // In TunnelServer mode, do not forward broadcast packets.
883 // The MST might not be valid and create loops.
884 if(tunnelserver || broadcast_mode == BMODE_NONE)
887 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
888 packet->len, from->name, from->hostname);
890 switch(broadcast_mode) {
891 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
892 // This guarantees all nodes receive the broadcast packet, and
893 // usually distributes the sending of broadcast packets over all nodes.
895 for list_each(connection_t, c, connection_list)
896 if(c->status.active && c->status.mst && c != from->nexthop->connection)
897 send_packet(c->node, packet);
900 // In direct mode, we send copies to each node we know of.
901 // However, this only reaches nodes that can be reached in a single hop.
902 // We don't have enough information to forward broadcast packets in this case.
907 for splay_each(node_t, n, node_tree)
908 if(n->status.reachable && ((n->via == myself && n->nexthop == n) || n->via == n))
909 send_packet(n, packet);
917 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
920 static time_t last_hard_try = 0;
922 for splay_each(edge_t, e, edge_weight_tree) {
923 if(!e->to->status.reachable || e->to == myself)
926 if(sockaddrcmp_noport(from, &e->address)) {
927 if(last_hard_try == now.tv_sec)
932 if(!try_mac(e->to, pkt))
940 last_hard_try = now.tv_sec;
942 last_hard_try = now.tv_sec;
946 void handle_incoming_vpn_data(void *data, int flags) {
947 listen_socket_t *ls = data;
950 sockaddr_t from = {{0}};
951 socklen_t fromlen = sizeof from;
955 len = recvfrom(ls->udp.fd, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
957 if(len <= 0 || len > MAXSIZE) {
958 if(!sockwouldblock(sockerrno))
959 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
965 sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
967 n = lookup_node_udp(&from);
970 n = try_harder(&from, &pkt);
972 update_node_udp(n, &from);
973 else if(debug_level >= DEBUG_PROTOCOL) {
974 hostname = sockaddr2hostname(&from);
975 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
983 n->sock = ls - listen_socket;
985 receive_udppacket(n, &pkt);
988 void handle_device_data(void *data, int flags) {
993 if(devops.read(&packet)) {
994 myself->in_packets++;
995 myself->in_bytes += packet.len;
996 route(myself, &packet);