2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2018 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
34 #include "address_cache.h"
37 #include "connection.h"
54 #define MAX(a, b) ((a) > (b) ? (a) : (b))
57 /* The minimum size of a probe is 14 bytes, but since we normally use CBC mode
58 encryption, we can add a few extra random bytes without increasing the
59 resulting packet size. */
60 #define MIN_PROBE_SIZE 18
64 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
67 static void send_udppacket(node_t *, vpn_packet_t *);
69 unsigned replaywin = 32;
70 bool localdiscovery = true;
71 bool udp_discovery = true;
72 int udp_discovery_keepalive_interval = 10;
73 int udp_discovery_interval = 2;
74 int udp_discovery_timeout = 30;
76 #define MAX_SEQNO 1073741824
78 static void try_fix_mtu(node_t *n) {
79 if(n->mtuprobes < 0) {
83 if(n->mtuprobes == 20 || n->minmtu >= n->maxmtu) {
84 if(n->minmtu > n->maxmtu) {
85 n->minmtu = n->maxmtu;
87 n->maxmtu = n->minmtu;
91 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
96 static void udp_probe_timeout_handler(void *data) {
99 if(!n->status.udp_confirmed) {
103 logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
104 n->status.udp_confirmed = false;
105 n->udp_ping_rtt = -1;
112 static void send_udp_probe_reply(node_t *n, vpn_packet_t *packet, length_t len) {
113 if(!n->status.sptps && !n->status.validkey) {
114 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP probe reply to %s (%s) but we don't have his key yet", n->name, n->hostname);
118 /* Type 2 probe replies were introduced in protocol 17.3 */
119 if((n->options >> 24) >= 3) {
121 uint16_t len16 = htons(len);
122 memcpy(DATA(packet) + 1, &len16, 2);
123 packet->len = MIN_PROBE_SIZE;
124 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 2 probe reply length %u to %s (%s)", len, n->name, n->hostname);
127 /* Legacy protocol: n won't understand type 2 probe replies. */
129 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 1 probe reply length %u to %s (%s)", len, n->name, n->hostname);
132 /* Temporarily set udp_confirmed, so that the reply is sent
133 back exactly the way it came in. */
135 bool udp_confirmed = n->status.udp_confirmed;
136 n->status.udp_confirmed = true;
137 send_udppacket(n, packet);
138 n->status.udp_confirmed = udp_confirmed;
141 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
142 if(!DATA(packet)[0]) {
143 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
144 send_udp_probe_reply(n, packet, len);
148 if(DATA(packet)[0] == 2) {
149 // It's a type 2 probe reply, use the length field inside the packet
151 memcpy(&len16, DATA(packet) + 1, 2);
155 if(n->udp_ping_sent.tv_sec != 0) { // a probe in flight
156 gettimeofday(&now, NULL);
158 timersub(&now, &n->udp_ping_sent, &rtt);
159 n->udp_ping_rtt = rtt.tv_sec * 1000000 + rtt.tv_usec;
160 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s) rtt=%d.%03d", DATA(packet)[0], len, n->name, n->hostname, n->udp_ping_rtt / 1000, n->udp_ping_rtt % 1000);
162 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname);
165 /* It's a valid reply: now we know bidirectional communication
166 is possible using the address and socket that the reply
168 if(!n->status.udp_confirmed) {
169 n->status.udp_confirmed = true;
171 if(!n->address_cache) {
172 n->address_cache = open_address_cache(n);
175 reset_address_cache(n->address_cache, &n->address);
178 // Reset the UDP ping timer. (no probe in flight)
179 n->udp_ping_sent.tv_sec = 0;
182 timeout_del(&n->udp_ping_timeout);
183 timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval) {
184 udp_discovery_timeout, 0
188 if(len > n->maxmtu) {
189 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
192 /* Set mtuprobes to 1 so that try_mtu() doesn't reset maxmtu */
195 } else if(n->mtuprobes < 0 && len == n->maxmtu) {
196 /* We got a maxmtu sized packet, confirming the PMTU is still valid. */
198 n->mtu_ping_sent = now;
201 /* If applicable, raise the minimum supported MTU */
203 if(n->minmtu < len) {
209 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
211 memcpy(dest, source, len);
213 } else if(level == 10) {
215 lzo_uint lzolen = MAXSIZE;
216 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
221 } else if(level < 10) {
223 unsigned long destlen = MAXSIZE;
225 if(compress2(dest, &destlen, source, len, level) == Z_OK) {
232 lzo_uint lzolen = MAXSIZE;
233 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
243 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
245 memcpy(dest, source, len);
247 } else if(level > 9) {
249 lzo_uint lzolen = MAXSIZE;
251 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK) {
260 unsigned long destlen = MAXSIZE;
261 static z_stream stream;
264 inflateReset(&stream);
266 inflateInit(&stream);
269 stream.next_in = source;
270 stream.avail_in = len;
271 stream.next_out = dest;
272 stream.avail_out = destlen;
273 stream.total_out = 0;
275 if(inflate(&stream, Z_FINISH) == Z_STREAM_END) {
276 return stream.total_out;
289 static void receive_packet(node_t *n, vpn_packet_t *packet) {
290 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
291 packet->len, n->name, n->hostname);
294 n->in_bytes += packet->len;
299 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
300 if(n->status.sptps) {
301 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
304 #ifdef DISABLE_LEGACY
308 if(!n->status.validkey_in || !digest_active(n->indigest) || (size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
312 return digest_verify(n->indigest, inpkt->data, inpkt->len - digest_length(n->indigest), inpkt->data + inpkt->len - digest_length(n->indigest));
316 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
317 if(n->status.sptps) {
318 if(!n->sptps.state) {
319 if(!n->status.waitingforkey) {
320 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
323 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
329 n->status.udppacket = true;
330 bool result = sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len);
331 n->status.udppacket = false;
334 /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
335 so let's restart SPTPS in case that helps. But don't do that too often
336 to prevent storms, and because that would make life a little too easy
337 for external attackers trying to DoS us. */
338 if(n->last_req_key < now.tv_sec - 10) {
339 logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", n->name, n->hostname);
349 #ifdef DISABLE_LEGACY
352 vpn_packet_t pkt1, pkt2;
353 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
356 pkt1.offset = DEFAULT_PACKET_OFFSET;
357 pkt2.offset = DEFAULT_PACKET_OFFSET;
359 if(!n->status.validkey_in) {
360 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
364 /* Check packet length */
366 if((size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
367 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
368 n->name, n->hostname);
372 /* It's a legacy UDP packet, the data starts after the seqno */
374 inpkt->offset += sizeof(seqno_t);
376 /* Check the message authentication code */
378 if(digest_active(n->indigest)) {
379 inpkt->len -= digest_length(n->indigest);
381 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
382 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
387 /* Decrypt the packet */
389 if(cipher_active(n->incipher)) {
390 vpn_packet_t *outpkt = pkt[nextpkt++];
393 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
394 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
398 outpkt->len = outlen;
402 /* Check the sequence number */
405 memcpy(&seqno, SEQNO(inpkt), sizeof(seqno));
406 seqno = ntohl(seqno);
407 inpkt->len -= sizeof(seqno);
410 if(seqno != n->received_seqno + 1) {
411 if(seqno >= n->received_seqno + replaywin * 8) {
412 if(n->farfuture++ < replaywin >> 2) {
413 logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
414 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
418 logger(DEBUG_TRAFFIC, LOG_WARNING, "Lost %d packets from %s (%s)",
419 seqno - n->received_seqno - 1, n->name, n->hostname);
420 memset(n->late, 0, replaywin);
421 } else if(seqno <= n->received_seqno) {
422 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
423 logger(DEBUG_TRAFFIC, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
424 n->name, n->hostname, seqno, n->received_seqno);
428 for(seqno_t i = n->received_seqno + 1; i < seqno; i++) {
429 n->late[(i / 8) % replaywin] |= 1 << i % 8;
435 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
438 if(seqno > n->received_seqno) {
439 n->received_seqno = seqno;
444 if(n->received_seqno > MAX_SEQNO) {
448 /* Decompress the packet */
450 length_t origlen = inpkt->len;
452 if(n->incompression) {
453 vpn_packet_t *outpkt = pkt[nextpkt++];
455 if(!(outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression))) {
456 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
457 n->name, n->hostname);
463 if(origlen > MTU / 64 + 20) {
464 origlen -= MTU / 64 + 20;
470 if(inpkt->len > n->maxrecentlen) {
471 n->maxrecentlen = inpkt->len;
476 if(!DATA(inpkt)[12] && !DATA(inpkt)[13]) {
477 udp_probe_h(n, inpkt, origlen);
479 receive_packet(n, inpkt);
486 void receive_tcppacket(connection_t *c, const char *buffer, size_t len) {
488 outpkt.offset = DEFAULT_PACKET_OFFSET;
490 if(len > sizeof(outpkt.data) - outpkt.offset) {
496 if(c->options & OPTION_TCPONLY) {
499 outpkt.priority = -1;
502 memcpy(DATA(&outpkt), buffer, len);
504 receive_packet(c->node, &outpkt);
507 bool receive_tcppacket_sptps(connection_t *c, const char *data, size_t len) {
508 if(len < sizeof(node_id_t) + sizeof(node_id_t)) {
509 logger(DEBUG_PROTOCOL, LOG_ERR, "Got too short TCP SPTPS packet from %s (%s)", c->name, c->hostname);
513 node_t *to = lookup_node_id((node_id_t *)data);
514 data += sizeof(node_id_t);
515 len -= sizeof(node_id_t);
518 logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown destination ID", c->name, c->hostname);
522 node_t *from = lookup_node_id((node_id_t *)data);
523 data += sizeof(node_id_t);
524 len -= sizeof(node_id_t);
527 logger(DEBUG_PROTOCOL, LOG_ERR, "Got TCP SPTPS packet from %s (%s) with unknown source ID", c->name, c->hostname);
531 if(!to->status.reachable) {
532 /* This can happen in the form of a race condition
533 if the node just became unreachable. */
534 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay TCP packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
538 /* Help the sender reach us over UDP.
539 Note that we only do this if we're the destination or the static relay;
540 otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
541 if(to->via == myself) {
542 send_udp_info(myself, from);
545 /* If we're not the final recipient, relay the packet. */
548 send_sptps_data(to, from, 0, data, len);
553 /* The packet is for us */
555 if(!sptps_receive_data(&from->sptps, data, len)) {
556 /* Uh-oh. It might be that the tunnel is stuck in some corrupted state,
557 so let's restart SPTPS in case that helps. But don't do that too often
558 to prevent storms. */
559 if(from->last_req_key < now.tv_sec - 10) {
560 logger(DEBUG_PROTOCOL, LOG_ERR, "Failed to decode raw TCP packet from %s (%s), restarting SPTPS", from->name, from->hostname);
567 send_mtu_info(myself, from, MTU);
571 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
572 if(!n->status.validkey && !n->connection) {
579 if((!(DATA(origpkt)[12] | DATA(origpkt)[13])) && (n->sptps.outstate)) {
580 sptps_send_record(&n->sptps, PKT_PROBE, (char *)DATA(origpkt), origpkt->len);
584 if(routing_mode == RMODE_ROUTER) {
590 if(origpkt->len < offset) {
596 if(n->outcompression) {
598 length_t len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
601 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
602 } else if(len < origpkt->len - offset) {
603 outpkt.len = len + offset;
605 type |= PKT_COMPRESSED;
609 /* If we have a direct metaconnection to n, and we can't use UDP, then
610 don't bother with SPTPS and just use a "plaintext" PACKET message.
611 We don't really care about end-to-end security since we're not
612 sending the message through any intermediate nodes. */
613 if(n->connection && origpkt->len > n->minmtu) {
614 send_tcppacket(n->connection, origpkt);
616 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
622 static void adapt_socket(const sockaddr_t *sa, int *sock) {
623 /* Make sure we have a suitable socket for the chosen address */
624 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
625 for(int i = 0; i < listen_sockets; i++) {
626 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
634 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
639 /* If the UDP address is confirmed, use it. */
640 if(n->status.udp_confirmed) {
644 /* Send every third packet to n->address; that could be set
645 to the node's reflexive UDP address discovered during key
655 /* Otherwise, address are found in edges to this node.
656 So we pick a random edge and a random socket. */
659 int j = rand() % n->edge_tree->count;
660 edge_t *candidate = NULL;
662 for splay_each(edge_t, e, n->edge_tree) {
664 candidate = e->reverse;
670 *sa = &candidate->address;
671 *sock = rand() % listen_sockets;
674 adapt_socket(*sa, sock);
677 static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
680 /* Pick one of the edges from this node at random, then use its local address. */
683 int j = rand() % n->edge_tree->count;
684 edge_t *candidate = NULL;
686 for splay_each(edge_t, e, n->edge_tree) {
693 if(candidate && candidate->local_address.sa.sa_family) {
694 *sa = &candidate->local_address;
695 *sock = rand() % listen_sockets;
696 adapt_socket(*sa, sock);
700 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
701 if(!n->status.reachable) {
702 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
706 if(n->status.sptps) {
707 send_sptps_packet(n, origpkt);
711 #ifdef DISABLE_LEGACY
714 vpn_packet_t pkt1, pkt2;
715 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
716 vpn_packet_t *inpkt = origpkt;
718 vpn_packet_t *outpkt;
719 int origlen = origpkt->len;
721 int origpriority = origpkt->priority;
723 pkt1.offset = DEFAULT_PACKET_OFFSET;
724 pkt2.offset = DEFAULT_PACKET_OFFSET;
726 /* Make sure we have a valid key */
728 if(!n->status.validkey) {
729 logger(DEBUG_TRAFFIC, LOG_INFO,
730 "No valid key known yet for %s (%s), forwarding via TCP",
731 n->name, n->hostname);
732 send_tcppacket(n->nexthop->connection, origpkt);
736 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
737 logger(DEBUG_TRAFFIC, LOG_INFO,
738 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
739 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
741 if(n != n->nexthop) {
742 send_packet(n->nexthop, origpkt);
744 send_tcppacket(n->nexthop->connection, origpkt);
750 /* Compress the packet */
752 if(n->outcompression) {
753 outpkt = pkt[nextpkt++];
755 if(!(outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression))) {
756 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
757 n->name, n->hostname);
764 /* Add sequence number */
766 seqno_t seqno = htonl(++(n->sent_seqno));
767 memcpy(SEQNO(inpkt), &seqno, sizeof(seqno));
768 inpkt->len += sizeof(seqno);
770 /* Encrypt the packet */
772 if(cipher_active(n->outcipher)) {
773 outpkt = pkt[nextpkt++];
776 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
777 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
781 outpkt->len = outlen;
785 /* Add the message authentication code */
787 if(digest_active(n->outdigest)) {
788 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
789 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
793 inpkt->len += digest_length(n->outdigest);
796 /* Send the packet */
798 const sockaddr_t *sa = NULL;
801 if(n->status.send_locally) {
802 choose_local_address(n, &sa, &sock);
806 choose_udp_address(n, &sa, &sock);
809 if(priorityinheritance && origpriority != listen_socket[sock].priority) {
810 listen_socket[sock].priority = origpriority;
812 switch(sa->sa.sa_family) {
816 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv4 outgoing packet priority to %d", origpriority);
818 if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IP, IP_TOS, (void *)&origpriority, sizeof(origpriority))) { /* SO_PRIORITY doesn't seem to work */
819 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
824 #if defined(IPV6_TCLASS)
827 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting IPv6 outgoing packet priority to %d", origpriority);
829 if(setsockopt(listen_socket[sock].udp.fd, IPPROTO_IPV6, IPV6_TCLASS, (void *)&origpriority, sizeof(origpriority))) { /* SO_PRIORITY doesn't seem to work */
830 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
841 if(sendto(listen_socket[sock].udp.fd, (void *)SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
842 if(sockmsgsize(sockerrno)) {
843 if(n->maxmtu >= origlen) {
844 n->maxmtu = origlen - 1;
847 if(n->mtu >= origlen) {
848 n->mtu = origlen - 1;
853 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
858 origpkt->len = origlen;
862 bool send_sptps_data(node_t *to, node_t *from, int type, const void *data, size_t len) {
863 node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
864 bool direct = from == myself && to == relay;
865 bool relay_supported = (relay->options >> 24) >= 4;
866 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
868 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU. */
870 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
871 if(type != SPTPS_HANDSHAKE && (to->nexthop->connection->options >> 24) >= 7) {
872 char buf[len + sizeof(to->id) + sizeof(from->id)];
874 memcpy(buf_ptr, &to->id, sizeof(to->id));
875 buf_ptr += sizeof(to->id);
876 memcpy(buf_ptr, &from->id, sizeof(from->id));
877 buf_ptr += sizeof(from->id);
878 memcpy(buf_ptr, data, len);
879 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (TCP)", from->name, from->hostname, to->name, to->hostname, to->nexthop->name, to->nexthop->hostname);
880 return send_sptps_tcppacket(to->nexthop->connection, buf, sizeof(buf));
883 char buf[len * 4 / 3 + 5];
884 b64encode(data, buf, len);
886 /* If this is a handshake packet, use ANS_KEY instead of REQ_KEY, for two reasons:
887 - We don't want intermediate nodes to switch to UDP to relay these packets;
888 - ANS_KEY allows us to learn the reflexive UDP address. */
889 if(type == SPTPS_HANDSHAKE) {
890 to->incompression = myself->incompression;
891 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
893 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, SPTPS_PACKET, buf);
899 if(relay_supported) {
900 overhead += sizeof(to->id) + sizeof(from->id);
903 char buf[len + overhead];
906 if(relay_supported) {
908 /* Inform the recipient that this packet was sent directly. */
909 node_id_t nullid = {0};
910 memcpy(buf_ptr, &nullid, sizeof(nullid));
911 buf_ptr += sizeof(nullid);
913 memcpy(buf_ptr, &to->id, sizeof(to->id));
914 buf_ptr += sizeof(to->id);
917 memcpy(buf_ptr, &from->id, sizeof(from->id));
918 buf_ptr += sizeof(from->id);
922 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
923 memcpy(buf_ptr, data, len);
926 const sockaddr_t *sa = NULL;
929 if(relay->status.send_locally) {
930 choose_local_address(relay, &sa, &sock);
934 choose_udp_address(relay, &sa, &sock);
937 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (UDP)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
939 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
940 if(sockmsgsize(sockerrno)) {
941 // Compensate for SPTPS overhead
942 len -= SPTPS_DATAGRAM_OVERHEAD;
944 if(relay->maxmtu >= len) {
945 relay->maxmtu = len - 1;
948 if(relay->mtu >= len) {
949 relay->mtu = len - 1;
954 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
962 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
963 node_t *from = handle;
965 if(type == SPTPS_HANDSHAKE) {
966 if(!from->status.validkey) {
967 from->status.validkey = true;
968 from->status.waitingforkey = false;
969 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) successful", from->name, from->hostname);
976 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
981 inpkt.offset = DEFAULT_PACKET_OFFSET;
984 if(type == PKT_PROBE) {
985 if(!from->status.udppacket) {
986 logger(DEBUG_ALWAYS, LOG_ERR, "Got SPTPS PROBE packet from %s (%s) via TCP", from->name, from->hostname);
991 memcpy(DATA(&inpkt), data, len);
993 if(inpkt.len > from->maxrecentlen) {
994 from->maxrecentlen = inpkt.len;
997 udp_probe_h(from, &inpkt, len);
1001 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
1002 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
1006 /* Check if we have the headers we need */
1007 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
1008 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
1010 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
1011 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
1014 int offset = (type & PKT_MAC) ? 0 : 14;
1016 if(type & PKT_COMPRESSED) {
1017 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
1022 inpkt.len = ulen + offset;
1025 if(inpkt.len > MAXSIZE) {
1029 memcpy(DATA(&inpkt) + offset, data, len);
1030 inpkt.len = len + offset;
1033 /* Generate the Ethernet packet type if necessary */
1035 switch(DATA(&inpkt)[14] >> 4) {
1037 DATA(&inpkt)[12] = 0x08;
1038 DATA(&inpkt)[13] = 0x00;
1042 DATA(&inpkt)[12] = 0x86;
1043 DATA(&inpkt)[13] = 0xDD;
1047 logger(DEBUG_TRAFFIC, LOG_ERR,
1048 "Unknown IP version %d while reading packet from %s (%s)",
1049 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
1054 if(from->status.udppacket && inpkt.len > from->maxrecentlen) {
1055 from->maxrecentlen = inpkt.len;
1058 receive_packet(from, &inpkt);
1062 // This function tries to get SPTPS keys, if they aren't already known.
1063 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
1064 static void try_sptps(node_t *n) {
1065 if(n->status.validkey) {
1069 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
1071 if(!n->status.waitingforkey) {
1073 } else if(n->last_req_key + 10 < now.tv_sec) {
1074 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
1075 sptps_stop(&n->sptps);
1076 n->status.waitingforkey = false;
1083 static void send_udp_probe_packet(node_t *n, int len) {
1084 vpn_packet_t packet;
1085 packet.offset = DEFAULT_PACKET_OFFSET;
1086 memset(DATA(&packet), 0, 14);
1087 randomize(DATA(&packet) + 14, len - 14);
1089 packet.priority = 0;
1091 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %d to %s (%s)", len, n->name, n->hostname);
1093 send_udppacket(n, &packet);
1096 // This function tries to establish a UDP tunnel to a node so that packets can be sent.
1097 // If a tunnel is already established, it makes sure it stays up.
1098 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
1099 static void try_udp(node_t *n) {
1100 if(!udp_discovery) {
1104 /* Send gratuitous probe replies to 1.1 nodes. */
1106 if((n->options >> 24) >= 3 && n->status.udp_confirmed) {
1107 struct timeval ping_tx_elapsed;
1108 timersub(&now, &n->udp_reply_sent, &ping_tx_elapsed);
1110 if(ping_tx_elapsed.tv_sec >= udp_discovery_keepalive_interval - 1) {
1111 n->udp_reply_sent = now;
1113 if(n->maxrecentlen) {
1115 pkt.len = n->maxrecentlen;
1116 pkt.offset = DEFAULT_PACKET_OFFSET;
1117 memset(DATA(&pkt), 0, 14);
1118 randomize(DATA(&pkt) + 14, MIN_PROBE_SIZE - 14);
1119 send_udp_probe_reply(n, &pkt, pkt.len);
1120 n->maxrecentlen = 0;
1127 struct timeval ping_tx_elapsed;
1128 timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
1130 int interval = n->status.udp_confirmed ? udp_discovery_keepalive_interval : udp_discovery_interval;
1132 if(ping_tx_elapsed.tv_sec >= interval) {
1133 gettimeofday(&now, NULL);
1134 n->udp_ping_sent = now; // a probe in flight
1135 send_udp_probe_packet(n, MIN_PROBE_SIZE);
1137 if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
1138 n->status.send_locally = true;
1139 send_udp_probe_packet(n, MIN_PROBE_SIZE);
1140 n->status.send_locally = false;
1145 static length_t choose_initial_maxmtu(node_t *n) {
1150 const sockaddr_t *sa = NULL;
1152 choose_udp_address(n, &sa, &sockindex);
1158 sock = socket(sa->sa.sa_family, SOCK_DGRAM, IPPROTO_UDP);
1161 logger(DEBUG_TRAFFIC, LOG_ERR, "Creating MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1165 if(connect(sock, &sa->sa, SALEN(sa->sa))) {
1166 logger(DEBUG_TRAFFIC, LOG_ERR, "Connecting MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1172 socklen_t ip_mtu_len = sizeof(ip_mtu);
1174 if(getsockopt(sock, IPPROTO_IP, IP_MTU, &ip_mtu, &ip_mtu_len)) {
1175 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
1182 /* getsockopt(IP_MTU) returns the MTU of the physical interface.
1183 We need to remove various overheads to get to the tinc MTU. */
1184 length_t mtu = ip_mtu;
1185 mtu -= (sa->sa.sa_family == AF_INET6) ? sizeof(struct ip6_hdr) : sizeof(struct ip);
1188 if(n->status.sptps) {
1189 mtu -= SPTPS_DATAGRAM_OVERHEAD;
1191 if((n->options >> 24) >= 4) {
1192 mtu -= sizeof(node_id_t) + sizeof(node_id_t);
1195 #ifndef DISABLE_LEGACY
1197 mtu -= digest_length(n->outdigest);
1199 /* Now it's tricky. We use CBC mode, so the length of the
1200 encrypted payload must be a multiple of the blocksize. The
1201 sequence number is also part of the encrypted payload, so we
1202 must account for it after correcting for the blocksize.
1203 Furthermore, the padding in the last block must be at least
1206 length_t blocksize = cipher_blocksize(n->outcipher);
1219 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) returned absurdly small value: %d", n->name, n->hostname, ip_mtu);
1227 logger(DEBUG_TRAFFIC, LOG_INFO, "Using system-provided maximum tinc MTU for %s (%s): %hd", n->name, n->hostname, mtu);
1236 /* This function tries to determines the MTU of a node.
1237 By calling this function repeatedly, n->minmtu will be progressively
1238 increased, and at some point, n->mtu will be fixed to n->minmtu. If the MTU
1239 is already fixed, this function checks if it can be increased.
1242 static void try_mtu(node_t *n) {
1243 if(!(n->options & OPTION_PMTU_DISCOVERY)) {
1247 if(udp_discovery && !n->status.udp_confirmed) {
1248 n->maxrecentlen = 0;
1255 /* mtuprobes == 0..19: initial discovery, send bursts with 1 second interval, mtuprobes++
1256 mtuprobes == 20: fix MTU, and go to -1
1257 mtuprobes == -1: send one maxmtu and one maxmtu+1 probe every pinginterval
1258 mtuprobes ==-2..-3: send one maxmtu probe every second
1259 mtuprobes == -4: maxmtu no longer valid, reset minmtu and maxmtu and go to 0 */
1261 struct timeval elapsed;
1262 timersub(&now, &n->mtu_ping_sent, &elapsed);
1264 if(n->mtuprobes >= 0) {
1265 if(n->mtuprobes != 0 && elapsed.tv_sec == 0 && elapsed.tv_usec < 333333) {
1269 if(n->mtuprobes < -1) {
1270 if(elapsed.tv_sec < 1) {
1274 if(elapsed.tv_sec < pinginterval) {
1280 n->mtu_ping_sent = now;
1284 if(n->mtuprobes < -3) {
1285 /* We lost three MTU probes, restart discovery */
1286 logger(DEBUG_TRAFFIC, LOG_INFO, "Decrease in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
1291 if(n->mtuprobes < 0) {
1292 /* After the initial discovery, we only send one maxmtu and one
1293 maxmtu+1 probe to detect PMTU increases. */
1294 send_udp_probe_packet(n, n->maxmtu);
1296 if(n->mtuprobes == -1 && n->maxmtu + 1 < MTU) {
1297 send_udp_probe_packet(n, n->maxmtu + 1);
1302 /* Before initial discovery begins, set maxmtu to the most likely value.
1303 If it's underestimated, we will correct it after initial discovery. */
1304 if(n->mtuprobes == 0) {
1305 n->maxmtu = choose_initial_maxmtu(n);
1309 /* Decreasing the number of probes per cycle might make the algorithm react faster to lost packets,
1310 but it will typically increase convergence time in the no-loss case. */
1311 const length_t probes_per_cycle = 8;
1313 /* This magic value was determined using math simulations.
1314 It will result in a 1329-byte first probe, followed (if there was a reply) by a 1407-byte probe.
1315 Since 1407 is just below the range of tinc MTUs over typical networks,
1316 this fine-tuning allows tinc to cover a lot of ground very quickly.
1317 This fine-tuning is only valid for maxmtu = MTU; if maxmtu is smaller,
1318 then it's better to use a multiplier of 1. Indeed, this leads to an interesting scenario
1319 if choose_initial_maxmtu() returns the actual MTU value - it will get confirmed with one single probe. */
1320 const float multiplier = (n->maxmtu == MTU) ? 0.97 : 1;
1322 const float cycle_position = probes_per_cycle - (n->mtuprobes % probes_per_cycle) - 1;
1323 const length_t minmtu = MAX(n->minmtu, 512);
1324 const float interval = n->maxmtu - minmtu;
1326 /* The core of the discovery algorithm is this exponential.
1327 It produces very large probes early in the cycle, and then it very quickly decreases the probe size.
1328 This reflects the fact that in the most difficult cases, we don't get any feedback for probes that
1329 are too large, and therefore we need to concentrate on small offsets so that we can quickly converge
1330 on the precise MTU as we are approaching it.
1331 The last probe of the cycle is always 1 byte in size - this is to make sure we'll get at least one
1332 reply per cycle so that we can make progress. */
1333 const length_t offset = powf(interval, multiplier * cycle_position / (probes_per_cycle - 1));
1335 length_t maxmtu = n->maxmtu;
1336 send_udp_probe_packet(n, minmtu + offset);
1338 /* If maxmtu changed, it means the probe was rejected by the system because it was too large.
1339 In that case, we recalculate with the new maxmtu and try again. */
1340 if(n->mtuprobes < 0 || maxmtu == n->maxmtu) {
1345 if(n->mtuprobes >= 0) {
1351 /* These functions try to establish a tunnel to a node (or its relay) so that
1352 packets can be sent (e.g. exchange keys).
1353 If a tunnel is already established, it tries to improve it (e.g. by trying
1354 to establish a UDP tunnel instead of TCP). This function makes no
1355 guarantees - it is up to the caller to check the node's state to figure out
1356 if TCP and/or UDP is usable. By calling this function repeatedly, the
1357 tunnel is gradually improved until we hit the wall imposed by the underlying
1358 network environment. It is recommended to call this function every time a
1359 packet is sent (or intended to be sent) to a node, so that the tunnel keeps
1360 improving as packets flow, and then gracefully downgrades itself as it goes
1364 static void try_tx_sptps(node_t *n, bool mtu) {
1365 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
1366 messages anyway, so there's no need for SPTPS at all. */
1368 if(n->connection && ((myself->options | n->options) & OPTION_TCPONLY)) {
1372 /* Otherwise, try to do SPTPS authentication with n if necessary. */
1376 /* Do we need to statically relay packets? */
1378 node_t *via = (n->via == myself) ? n->nexthop : n->via;
1380 /* If we do have a static relay, try everything with that one instead, if it supports relaying. */
1383 if((via->options >> 24) < 4) {
1391 /* Otherwise, try to establish UDP connectivity. */
1399 /* If we don't have UDP connectivity (yet), we need to use a dynamic relay (nexthop)
1400 while we try to establish direct connectivity. */
1402 if(!n->status.udp_confirmed && n != n->nexthop && (n->nexthop->options >> 24) >= 4) {
1403 try_tx(n->nexthop, mtu);
1407 static void try_tx_legacy(node_t *n, bool mtu) {
1408 /* Does he have our key? If not, send one. */
1410 if(!n->status.validkey_in) {
1414 /* Check if we already have a key, or request one. */
1416 if(!n->status.validkey) {
1417 if(n->last_req_key + 10 <= now.tv_sec) {
1419 n->last_req_key = now.tv_sec;
1432 void try_tx(node_t *n, bool mtu) {
1433 if(!n->status.reachable) {
1437 if(n->status.sptps) {
1438 try_tx_sptps(n, mtu);
1440 try_tx_legacy(n, mtu);
1444 void send_packet(node_t *n, vpn_packet_t *packet) {
1445 // If it's for myself, write it to the tun/tap device.
1449 memcpy(DATA(packet), mymac.x, ETH_ALEN);
1450 // Use an arbitrary fake source address.
1451 memcpy(DATA(packet) + ETH_ALEN, DATA(packet), ETH_ALEN);
1452 DATA(packet)[ETH_ALEN * 2 - 1] ^= 0xFF;
1456 n->out_bytes += packet->len;
1457 devops.write(packet);
1461 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)", packet->len, n->name, n->hostname);
1463 // If the node is not reachable, drop it.
1465 if(!n->status.reachable) {
1466 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable", n->name, n->hostname);
1470 // Keep track of packet statistics.
1473 n->out_bytes += packet->len;
1475 // Check if it should be sent as an SPTPS packet.
1477 if(n->status.sptps) {
1478 send_sptps_packet(n, packet);
1483 // Determine which node to actually send it to.
1485 node_t *via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1488 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)", n->name, via->name, n->via->hostname);
1491 // Try to send via UDP, unless TCP is forced.
1493 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1494 if(!send_tcppacket(via->connection, packet)) {
1495 terminate_connection(via->connection, true);
1501 send_udppacket(via, packet);
1505 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1506 // Always give ourself a copy of the packet.
1507 if(from != myself) {
1508 send_packet(myself, packet);
1511 // In TunnelServer mode, do not forward broadcast packets.
1512 // The MST might not be valid and create loops.
1513 if(tunnelserver || broadcast_mode == BMODE_NONE) {
1517 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1518 packet->len, from->name, from->hostname);
1520 switch(broadcast_mode) {
1521 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1522 // This guarantees all nodes receive the broadcast packet, and
1523 // usually distributes the sending of broadcast packets over all nodes.
1525 for list_each(connection_t, c, connection_list)
1526 if(c->edge && c->status.mst && c != from->nexthop->connection) {
1527 send_packet(c->node, packet);
1532 // In direct mode, we send copies to each node we know of.
1533 // However, this only reaches nodes that can be reached in a single hop.
1534 // We don't have enough information to forward broadcast packets in this case.
1536 if(from != myself) {
1540 for splay_each(node_t, n, node_tree)
1541 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n)) {
1542 send_packet(n, packet);
1552 /* We got a packet from some IP address, but we don't know who sent it. Try to
1553 verify the message authentication code against all active session keys.
1554 Since this is actually an expensive operation, we only do a full check once
1555 a minute, the rest of the time we only check against nodes for which we know
1556 an IP address that matches the one from the packet. */
1558 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1559 node_t *match = NULL;
1561 static time_t last_hard_try = 0;
1563 for splay_each(node_t, n, node_tree) {
1564 if(!n->status.reachable || n == myself) {
1568 if(!n->status.validkey_in && !(n->status.sptps && n->sptps.instate)) {
1574 for splay_each(edge_t, e, n->edge_tree) {
1579 if(!sockaddrcmp_noport(from, &e->reverse->address)) {
1586 if(last_hard_try == now.tv_sec) {
1593 if(!try_mac(n, pkt)) {
1602 last_hard_try = now.tv_sec;
1608 static void handle_incoming_vpn_packet(listen_socket_t *ls, vpn_packet_t *pkt, sockaddr_t *addr) {
1610 node_id_t nullid = {0};
1612 bool direct = false;
1614 sockaddrunmap(addr); /* Some braindead IPv6 implementations do stupid things. */
1616 // Try to figure out who sent this packet.
1618 node_t *n = lookup_node_udp(addr);
1620 if(n && !n->status.udp_confirmed) {
1621 n = NULL; // Don't believe it if we don't have confirmation yet.
1625 // It might be from a 1.1 node, which might have a source ID in the packet.
1626 pkt->offset = 2 * sizeof(node_id_t);
1627 from = lookup_node_id(SRCID(pkt));
1629 if(from && !memcmp(DSTID(pkt), &nullid, sizeof(nullid)) && from->status.sptps) {
1630 if(sptps_verify_datagram(&from->sptps, DATA(pkt), pkt->len - 2 * sizeof(node_id_t))) {
1640 n = try_harder(addr, pkt);
1646 if(debug_level >= DEBUG_PROTOCOL) {
1647 hostname = sockaddr2hostname(addr);
1648 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1657 if(n->status.sptps) {
1658 bool relay_enabled = (n->options >> 24) >= 4;
1661 pkt->offset = 2 * sizeof(node_id_t);
1662 pkt->len -= pkt->offset;
1665 if(!memcmp(DSTID(pkt), &nullid, sizeof(nullid)) || !relay_enabled) {
1670 from = lookup_node_id(SRCID(pkt));
1671 to = lookup_node_id(DSTID(pkt));
1675 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1679 if(!to->status.reachable) {
1680 /* This can happen in the form of a race condition
1681 if the node just became unreachable. */
1682 logger(DEBUG_TRAFFIC, LOG_WARNING, "Cannot relay packet from %s (%s) because the destination, %s (%s), is unreachable", from->name, from->hostname, to->name, to->hostname);
1686 /* The packet is supposed to come from the originator or its static relay
1687 (i.e. with no dynamic relays in between).
1688 If it did not, "help" the static relay by sending it UDP info.
1689 Note that we only do this if we're the destination or the static relay;
1690 otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
1692 if(n != from->via && to->via == myself) {
1693 send_udp_info(myself, from);
1696 /* If we're not the final recipient, relay the packet. */
1699 send_sptps_data(to, from, 0, DATA(pkt), pkt->len);
1708 if(!receive_udppacket(from, pkt)) {
1712 n->sock = ls - listen_socket;
1714 if(direct && sockaddrcmp(addr, &n->address)) {
1715 update_node_udp(n, addr);
1718 /* If the packet went through a relay, help the sender find the appropriate MTU
1719 through the relay path. */
1722 send_mtu_info(myself, n, MTU);
1726 void handle_incoming_vpn_data(void *data, int flags) {
1729 listen_socket_t *ls = data;
1731 #ifdef HAVE_RECVMMSG
1733 static int num = MAX_MSG;
1734 static vpn_packet_t pkt[MAX_MSG];
1735 static sockaddr_t addr[MAX_MSG];
1736 static struct mmsghdr msg[MAX_MSG];
1737 static struct iovec iov[MAX_MSG];
1739 for(int i = 0; i < num; i++) {
1742 iov[i] = (struct iovec) {
1743 .iov_base = DATA(&pkt[i]),
1747 msg[i].msg_hdr = (struct msghdr) {
1748 .msg_name = &addr[i].sa,
1749 .msg_namelen = sizeof(addr)[i],
1755 num = recvmmsg(ls->udp.fd, msg, MAX_MSG, MSG_DONTWAIT, NULL);
1758 if(!sockwouldblock(sockerrno)) {
1759 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1765 for(int i = 0; i < num; i++) {
1766 pkt[i].len = msg[i].msg_len;
1768 if(pkt[i].len <= 0 || pkt[i].len > MAXSIZE) {
1772 handle_incoming_vpn_packet(ls, &pkt[i], &addr[i]);
1777 sockaddr_t addr = {0};
1778 socklen_t addrlen = sizeof(addr);
1781 int len = recvfrom(ls->udp.fd, (void *)DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1783 if(len <= 0 || (size_t)len > MAXSIZE) {
1784 if(!sockwouldblock(sockerrno)) {
1785 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1793 handle_incoming_vpn_packet(ls, &pkt, &addr);
1797 void handle_device_data(void *data, int flags) {
1800 vpn_packet_t packet;
1801 packet.offset = DEFAULT_PACKET_OFFSET;
1802 packet.priority = 0;
1803 static int errors = 0;
1805 if(devops.read(&packet)) {
1807 myself->in_packets++;
1808 myself->in_bytes += packet.len;
1809 route(myself, &packet);
1811 usleep(errors * 50000);
1815 logger(DEBUG_ALWAYS, LOG_ERR, "Too many errors from %s, exiting!", device);