2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 2014 Guus Sliepen <guus@meshlink.io>
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 2 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License along
16 with this program; if not, write to the Free Software Foundation, Inc.,
17 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
28 #include "connection.h"
42 static void send_udppacket(node_t *, vpn_packet_t *);
44 unsigned replaywin = 16;
45 bool localdiscovery = false;
46 sockaddr_t localdiscovery_address;
48 #define MAX_SEQNO 1073741824
50 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
51 mtuprobes == 31: sleep pinginterval seconds
52 mtuprobes == 32: send 1 burst, sleep pingtimeout second
53 mtuprobes == 33: no response from other side, restart PMTU discovery process
55 Probes are sent in batches of at least three, with random sizes between the
56 lower and upper boundaries for the MTU thus far discovered.
58 After the initial discovery, a fourth packet is added to each batch with a
59 size larger than the currently known PMTU, to test if the PMTU has increased.
61 In case local discovery is enabled, another packet is added to each batch,
62 which will be broadcast to the local network.
66 static void send_mtu_probe_handler(void *data) {
72 if(!n->status.reachable || !n->status.validkey) {
73 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
78 if(n->mtuprobes > 32) {
81 timeout = pinginterval;
85 logger(DEBUG_TRAFFIC, LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
86 n->status.udp_confirmed = false;
92 if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
93 logger(DEBUG_TRAFFIC, LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
97 if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
98 if(n->minmtu > n->maxmtu)
99 n->minmtu = n->maxmtu;
101 n->maxmtu = n->minmtu;
103 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
107 if(n->mtuprobes == 31) {
108 timeout = pinginterval;
110 } else if(n->mtuprobes == 32) {
111 timeout = pingtimeout;
114 for(int i = 0; i < 4 + localdiscovery; i++) {
118 if(n->mtuprobes < 30 || n->maxmtu + 8 >= MTU)
121 } else if(n->maxmtu <= n->minmtu) {
124 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
131 memset(packet.data, 0, 14);
132 randomize(packet.data + 14, len - 14);
134 n->status.broadcast = i >= 4 && n->mtuprobes <= 10 && n->prevedge;
136 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
138 send_udppacket(n, &packet);
141 n->status.broadcast = false;
142 n->probe_counter = 0;
143 gettimeofday(&n->probe_time, NULL);
145 /* Calculate the packet loss of incoming traffic by comparing the rate of
146 packets received to the rate with which the sequence number has increased.
149 if(n->received > n->prev_received)
150 n->packetloss = 1.0 - (n->received - n->prev_received) / (float)(n->received_seqno - n->prev_received_seqno);
152 n->packetloss = n->received_seqno <= n->prev_received_seqno;
154 n->prev_received_seqno = n->received_seqno;
155 n->prev_received = n->received;
158 timeout_set(&n->mtutimeout, &(struct timeval){timeout, rand() % 100000});
161 void send_mtu_probe(node_t *n) {
162 timeout_add(&n->mtutimeout, send_mtu_probe_handler, n, &(struct timeval){1, 0});
163 send_mtu_probe_handler(n);
166 static void mtu_probe_h(node_t *n, vpn_packet_t *packet, uint16_t len) {
167 logger(DEBUG_TRAFFIC, LOG_INFO, "Got MTU probe length %d from %s (%s)", packet->len, n->name, n->hostname);
169 if(!packet->data[0]) {
170 /* It's a probe request, send back a reply */
174 /* Temporarily set udp_confirmed, so that the reply is sent
175 back exactly the way it came in. */
177 bool udp_confirmed = n->status.udp_confirmed;
178 n->status.udp_confirmed = true;
179 send_udppacket(n, packet);
180 n->status.udp_confirmed = udp_confirmed;
182 /* It's a valid reply: now we know bidirectional communication
183 is possible using the address and socket that the reply
186 n->status.udp_confirmed = true;
188 /* If we haven't established the PMTU yet, restart the discovery process. */
190 if(n->mtuprobes > 30) {
191 if (len == n->maxmtu + 8) {
192 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
204 /* If applicable, raise the minimum supported MTU */
211 /* Calculate RTT and bandwidth.
212 The RTT is the time between the MTU probe burst was sent and the first
213 reply is received. The bandwidth is measured using the time between the
214 arrival of the first and third probe reply.
217 struct timeval now, diff;
218 gettimeofday(&now, NULL);
219 timersub(&now, &n->probe_time, &diff);
223 if(n->probe_counter == 1) {
224 n->rtt = diff.tv_sec + diff.tv_usec * 1e-6;
226 } else if(n->probe_counter == 3) {
227 n->bandwidth = 2.0 * len / (diff.tv_sec + diff.tv_usec * 1e-6);
228 logger(DEBUG_TRAFFIC, LOG_DEBUG, "%s (%s) RTT %.2f ms, burst bandwidth %.3f Mbit/s, rx packet loss %.2f %%", n->name, n->hostname, n->rtt * 1e3, n->bandwidth * 8e-6, n->packetloss * 1e2);
233 static uint16_t compress_packet(uint8_t *dest, const uint8_t *source, uint16_t len, int level) {
235 memcpy(dest, source, len);
237 } else if(level == 10) {
239 } else if(level < 10) {
241 unsigned long destlen = MAXSIZE;
242 if(compress2(dest, &destlen, source, len, level) == Z_OK)
254 static uint16_t uncompress_packet(uint8_t *dest, const uint8_t *source, uint16_t len, int level) {
256 memcpy(dest, source, len);
258 } else if(level > 9) {
263 unsigned long destlen = MAXSIZE;
264 if(uncompress(dest, &destlen, source, len) == Z_OK)
276 static void receive_packet(node_t *n, vpn_packet_t *packet) {
277 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
278 packet->len, n->name, n->hostname);
281 n->in_bytes += packet->len;
286 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
287 return sptps_verify_datagram(&n->sptps, inpkt->data, inpkt->len);
290 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
291 if(!n->sptps.state) {
292 if(!n->status.waitingforkey) {
293 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
296 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
300 sptps_receive_data(&n->sptps, inpkt->data, inpkt->len);
303 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
306 if(len > sizeof outpkt.data)
311 memcpy(outpkt.data, buffer, len);
313 receive_packet(c->node, &outpkt);
316 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
317 if(!n->status.validkey) {
318 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
319 if(!n->status.waitingforkey)
321 else if(n->last_req_key + 10 < now.tv_sec) {
322 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
323 sptps_stop(&n->sptps);
324 n->status.waitingforkey = false;
332 // If it's a probe, send it immediately without trying to compress it.
334 sptps_send_record(&n->sptps, PKT_PROBE, origpkt->data, origpkt->len);
340 if(n->outcompression) {
341 int len = compress_packet(outpkt.data, origpkt->data, origpkt->len, n->outcompression);
343 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
344 } else if(len < origpkt->len) {
347 type |= PKT_COMPRESSED;
351 sptps_send_record(&n->sptps, type, origpkt->data, origpkt->len);
355 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
360 /* If the UDP address is confirmed, use it. */
361 if(n->status.udp_confirmed)
364 /* Send every third packet to n->address; that could be set
365 to the node's reflexive UDP address discovered during key
374 /* Otherwise, address are found in edges to this node.
375 So we pick a random edge and a random socket. */
378 int j = rand() % n->edge_tree->count;
379 edge_t *candidate = NULL;
381 for splay_each(edge_t, e, n->edge_tree) {
383 candidate = e->reverse;
389 *sa = &candidate->address;
390 *sock = rand() % listen_sockets;
393 /* Make sure we have a suitable socket for the chosen address */
394 if(listen_socket[*sock].sa.sa.sa_family != (*sa)->sa.sa_family) {
395 for(int i = 0; i < listen_sockets; i++) {
396 if(listen_socket[i].sa.sa.sa_family == (*sa)->sa.sa_family) {
404 static void choose_broadcast_address(const node_t *n, const sockaddr_t **sa, int *sock) {
405 static sockaddr_t broadcast_ipv4 = {
407 .sin_family = AF_INET,
408 .sin_addr.s_addr = -1,
412 static sockaddr_t broadcast_ipv6 = {
414 .sin6_family = AF_INET6,
415 .sin6_addr.s6_addr[0x0] = 0xff,
416 .sin6_addr.s6_addr[0x1] = 0x02,
417 .sin6_addr.s6_addr[0xf] = 0x01,
421 *sock = rand() % listen_sockets;
423 if(listen_socket[*sock].sa.sa.sa_family == AF_INET6) {
424 if(localdiscovery_address.sa.sa_family == AF_INET6) {
425 localdiscovery_address.in6.sin6_port = n->prevedge->address.in.sin_port;
426 *sa = &localdiscovery_address;
428 broadcast_ipv6.in6.sin6_port = n->prevedge->address.in.sin_port;
429 broadcast_ipv6.in6.sin6_scope_id = listen_socket[*sock].sa.in6.sin6_scope_id;
430 *sa = &broadcast_ipv6;
433 if(localdiscovery_address.sa.sa_family == AF_INET) {
434 localdiscovery_address.in.sin_port = n->prevedge->address.in.sin_port;
435 *sa = &localdiscovery_address;
437 broadcast_ipv4.in.sin_port = n->prevedge->address.in.sin_port;
438 *sa = &broadcast_ipv4;
443 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
444 vpn_packet_t pkt1, pkt2;
445 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
446 vpn_packet_t *inpkt = origpkt;
448 vpn_packet_t *outpkt;
449 int origlen = origpkt->len;
452 if(!n->status.reachable) {
453 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
457 return send_sptps_packet(n, origpkt);
460 bool send_sptps_data(void *handle, uint8_t type, const char *data, size_t len) {
463 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, or this packet is larger than the MTU. */
465 if(type >= SPTPS_HANDSHAKE || ((myself->options | to->options) & OPTION_TCPONLY) || (type != PKT_PROBE && len > to->minmtu)) {
466 char buf[len * 4 / 3 + 5];
467 b64encode(data, buf, len);
468 /* If no valid key is known yet, send the packets using ANS_KEY requests,
469 to ensure we get to learn the reflexive UDP address. */
470 if(!to->status.validkey) {
471 to->incompression = myself->incompression;
472 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, myself->name, to->name, buf, to->incompression);
474 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, myself->name, to->name, REQ_SPTPS, buf);
478 /* Otherwise, send the packet via UDP */
480 const sockaddr_t *sa;
483 if(to->status.broadcast)
484 choose_broadcast_address(to, &sa, &sock);
486 choose_udp_address(to, &sa, &sock);
488 if(sendto(listen_socket[sock].udp.fd, data, len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
489 if(sockmsgsize(sockerrno)) {
490 if(to->maxmtu >= len)
491 to->maxmtu = len - 1;
495 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", to->name, to->hostname, sockstrerror(sockerrno));
503 bool receive_sptps_record(void *handle, uint8_t type, const char *data, uint16_t len) {
504 node_t *from = handle;
506 if(type == SPTPS_HANDSHAKE) {
507 if(!from->status.validkey) {
508 from->status.validkey = true;
509 from->status.waitingforkey = false;
510 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
516 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
522 if(type == PKT_PROBE) {
525 memcpy(inpkt.data, data, len);
526 mtu_probe_h(from, &inpkt, len);
532 if(type & ~(PKT_COMPRESSED)) {
533 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
537 if(type & PKT_COMPRESSED) {
538 uint16_t ulen = uncompress_packet(inpkt.data, (const uint8_t *)data, len, from->incompression);
544 if(inpkt.len > MAXSIZE)
547 memcpy(inpkt.data, data, len);
551 receive_packet(from, &inpkt);
556 send a packet to the given vpn ip.
558 void send_packet(node_t *n, vpn_packet_t *packet) {
563 n->out_bytes += packet->len;
564 // TODO: send to application
568 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
569 packet->len, n->name, n->hostname);
571 if(!n->status.reachable) {
572 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
573 n->name, n->hostname);
578 n->out_bytes += packet->len;
580 send_sptps_packet(n, packet);
584 /* Broadcast a packet using the minimum spanning tree */
586 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
587 // Always give ourself a copy of the packet.
589 send_packet(myself, packet);
591 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
592 packet->len, from->name, from->hostname);
594 for list_each(connection_t, c, connection_list)
595 if(c->status.active && c->status.mst && c != from->nexthop->connection)
596 send_packet(c->node, packet);
599 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
602 static time_t last_hard_try = 0;
604 for splay_each(edge_t, e, edge_weight_tree) {
605 if(!e->to->status.reachable || e->to == myself)
608 if(sockaddrcmp_noport(from, &e->address)) {
609 if(last_hard_try == now.tv_sec)
614 if(!try_mac(e->to, pkt))
622 last_hard_try = now.tv_sec;
624 last_hard_try = now.tv_sec;
628 void handle_incoming_vpn_data(void *data, int flags) {
629 listen_socket_t *ls = data;
632 sockaddr_t from = {{0}};
633 socklen_t fromlen = sizeof from;
637 len = recvfrom(ls->udp.fd, pkt.data, MAXSIZE, 0, &from.sa, &fromlen);
639 if(len <= 0 || len > MAXSIZE) {
640 if(!sockwouldblock(sockerrno))
641 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
647 sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
649 n = lookup_node_udp(&from);
652 n = try_harder(&from, &pkt);
654 update_node_udp(n, &from);
655 else if(debug_level >= DEBUG_PROTOCOL) {
656 hostname = sockaddr2hostname(&from);
657 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
665 n->sock = ls - listen_socket;
667 receive_udppacket(n, &pkt);
projects / meshlink / blob