ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.7 by pcg, Sat Apr 5 17:54:22 2003 UTC vs.
Revision 1.21 by pcg, Thu Oct 16 02:28:36 2003 UTC

35#include "slog.h" 35#include "slog.h"
36#include "device.h" 36#include "device.h"
37#include "vpn.h" 37#include "vpn.h"
38#include "connection.h" 38#include "connection.h"
39 39
40#include "netcompat.h"
41
40#if !HAVE_RAND_PSEUDO_BYTES 42#if !HAVE_RAND_PSEUDO_BYTES
41# define RAND_pseudo_bytes RAND_bytes 43# define RAND_pseudo_bytes RAND_bytes
42#endif 44#endif
43 45
44#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 46#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
147 } 149 }
148} 150}
149 151
150////////////////////////////////////////////////////////////////////////////// 152//////////////////////////////////////////////////////////////////////////////
151 153
152void pkt_queue::put (tap_packet *p) 154void pkt_queue::put (net_packet *p)
153{ 155{
154 if (queue[i]) 156 if (queue[i])
155 { 157 {
156 delete queue[i]; 158 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH; 159 j = (j + 1) % QUEUEDEPTH;
160 queue[i] = p; 162 queue[i] = p;
161 163
162 i = (i + 1) % QUEUEDEPTH; 164 i = (i + 1) % QUEUEDEPTH;
163} 165}
164 166
165tap_packet *pkt_queue::get () 167net_packet *pkt_queue::get ()
166{ 168{
167 tap_packet *p = queue[j]; 169 net_packet *p = queue[j];
168 170
169 if (p) 171 if (p)
170 { 172 {
171 queue[j] = 0; 173 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH; 174 j = (j + 1) % QUEUEDEPTH;
197// only do action once every x seconds per host whole allowing bursts. 199// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 200// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 201// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 202struct net_rate_limiter : list<net_rateinfo>
201{ 203{
202 static const double ALPHA = 1. - 1. / 90.; // allow bursts 204 static const double ALPHA = 1. - 1. / 600.; // allow bursts
203 static const double CUTOFF = 20.; // one event every CUTOFF seconds 205 static const double CUTOFF = 10.; // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 206 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
207 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205 208
206 bool can (const sockinfo &si) { return can((u32)si.host); } 209 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 210 bool can (u32 host);
208}; 211};
209 212
210net_rate_limiter auth_rate_limiter, reset_rate_limiter; 213net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211 214
225 { 228 {
226 net_rateinfo ri; 229 net_rateinfo ri;
227 230
228 ri.host = host; 231 ri.host = host;
229 ri.pcnt = 1.; 232 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 233 ri.diff = MAXDIF;
231 ri.last = NOW; 234 ri.last = NOW;
232 235
233 push_front (ri); 236 push_front (ri);
234 237
235 return true; 238 return true;
242 ri.pcnt = ri.pcnt * ALPHA; 245 ri.pcnt = ri.pcnt * ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 246 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244 247
245 ri.last = NOW; 248 ri.last = NOW;
246 249
250 double dif = ri.diff / ri.pcnt;
251
247 bool send = ri.diff / ri.pcnt > CUTOFF; 252 bool send = dif > CUTOFF;
248 253
254 if (dif > MAXDIF)
255 {
256 ri.pcnt = 1.;
257 ri.diff = MAXDIF;
258 }
249 if (send) 259 else if (send)
250 ri.pcnt++; 260 ri.pcnt++;
251 261
252 push_front (ri); 262 push_front (ri);
253 263
254 return send; 264 return send;
467 set_hdr (type, dst); 477 set_hdr (type, dst);
468} 478}
469 479
470bool config_packet::chk_config () const 480bool config_packet::chk_config () const
471{ 481{
472 return prot_major == PROTOCOL_MAJOR 482 if (prot_major != PROTOCOL_MAJOR)
473 && randsize == RAND_SIZE 483 slog (L_WARN, _("major version mismatch (%d <=> %d)"), prot_major, PROTOCOL_MAJOR);
474 && hmaclen == HMACLENGTH 484 else if (randsize != RAND_SIZE)
475 && flags == curflags () 485 slog (L_WARN, _("rand size mismatch (%d <=> %d)"), randsize, RAND_SIZE);
486 else if (hmaclen != HMACLENGTH)
487 slog (L_WARN, _("hmac length mismatch (%d <=> %d)"), hmaclen, HMACLENGTH);
488 else if (flags != curflags ())
489 slog (L_WARN, _("flag mismatch (%x <=> %x)"), flags, curflags ());
476 && challengelen == sizeof (rsachallenge) 490 else if (challengelen != sizeof (rsachallenge))
491 slog (L_WARN, _("challenge length mismatch (%d <=> %d)"), challengelen, sizeof (rsachallenge));
477 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 492 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
493 slog (L_WARN, _("cipher mismatch (%x <=> %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 494 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
495 slog (L_WARN, _("digest mismatch (%x <=> %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 496 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
497 slog (L_WARN, _("hmac mismatch (%x <=> %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
498 else
499 return true;
500
501 return false;
480} 502}
481 503
482struct auth_req_packet : config_packet 504struct auth_req_packet : config_packet
483{ 505{
484 char magic[8]; 506 char magic[8];
546}; 568};
547 569
548///////////////////////////////////////////////////////////////////////////// 570/////////////////////////////////////////////////////////////////////////////
549 571
550void 572void
573connection::connection_established ()
574{
575 if (ictx && octx)
576 {
577 connectmode = conf->connectmode;
578
579 rekey.start (NOW + ::conf.rekey);
580 keepalive.start (NOW + ::conf.keepalive);
581
582 // send queued packets
583 if (ictx && octx)
584 {
585 while (tap_packet *p = (tap_packet *)data_queue.get ())
586 {
587 send_data_packet (p);
588 delete p;
589 }
590
591 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
592 {
593 send_vpn_packet (p, si, IPTOS_RELIABILITY);
594 delete p;
595 }
596 }
597 }
598 else
599 {
600 retry_cnt = 0;
601 establish_connection.start (NOW + 5);
602 keepalive.reset ();
603 rekey.reset ();
604 }
605}
606
607void
551connection::reset_dstaddr () 608connection::reset_si ()
552{ 609{
553 protocol = best_protocol (THISNODE->protocols & conf->protocols); 610 protocol = best_protocol (THISNODE->protocols & conf->protocols);
554 611
555 // mask out protocols we cannot establish 612 // mask out protocols we cannot establish
556 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 613 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
557 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 614 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
558 615
559 si.set (conf, protocol); 616 si.set (conf, protocol);
560} 617}
561 618
619// ensure sockinfo is valid, forward if necessary
620const sockinfo &
621connection::forward_si (const sockinfo &si) const
622{
623 if (!si.valid ())
624 {
625 connection *r = vpn->find_router ();
626
627 if (r)
628 {
629 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
630 conf->nodename, r->conf->nodename);
631 return r->si;
632 }
633 else
634 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
635 conf->nodename);
636 }
637
638 return si;
639}
640
641void
642connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
643{
644 if (!vpn->send_vpn_packet (pkt, si, tos))
645 reset_connection ();
646}
647
562void 648void
563connection::send_ping (const sockinfo &si, u8 pong) 649connection::send_ping (const sockinfo &si, u8 pong)
564{ 650{
565 ping_packet *pkt = new ping_packet; 651 ping_packet *pkt = new ping_packet;
566 652
567 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 653 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
568 vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 654 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
569 655
570 delete pkt; 656 delete pkt;
571} 657}
572 658
573void 659void
576 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED) 662 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
577 { 663 {
578 config_packet *pkt = new config_packet; 664 config_packet *pkt = new config_packet;
579 665
580 pkt->setup (vpn_packet::PT_RESET, conf->id); 666 pkt->setup (vpn_packet::PT_RESET, conf->id);
581 vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST); 667 send_vpn_packet (pkt, si, IPTOS_MINCOST);
582 668
583 delete pkt; 669 delete pkt;
584 } 670 }
585} 671}
586 672
598 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 684 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
599 fatal ("RSA_public_encrypt error"); 685 fatal ("RSA_public_encrypt error");
600 686
601 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 687 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
602 688
603 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 689 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
604 690
605 delete pkt; 691 delete pkt;
606} 692}
607 693
608void 694void
616 702
617 pkt->hmac_set (octx); 703 pkt->hmac_set (octx);
618 704
619 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 705 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
620 706
621 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 707 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
622 708
623 delete pkt; 709 delete pkt;
624} 710}
625 711
626void 712void
630 conf->id, rid, (const char *)rsi); 716 conf->id, rid, (const char *)rsi);
631 717
632 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 718 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
633 719
634 r->hmac_set (octx); 720 r->hmac_set (octx);
635 vpn->send_vpn_packet (r, si); 721 send_vpn_packet (r, si);
636 722
637 delete r; 723 delete r;
638} 724}
639 725
640void 726void
651 if (retry_int < 3600 * 8) 737 if (retry_int < 3600 * 8)
652 retry_cnt++; 738 retry_cnt++;
653 739
654 w.at = NOW + retry_int; 740 w.at = NOW + retry_int;
655 741
656 if (conf->hostname) 742 reset_si ();
743
744 if (si.prot && !si.host)
745 vpn->send_connect_request (conf->id);
746 else
657 { 747 {
658 reset_dstaddr (); 748 const sockinfo &dsi = forward_si (si);
659 749
660 if (si.valid () && auth_rate_limiter.can (si)) 750 if (dsi.valid () && auth_rate_limiter.can (dsi))
661 { 751 {
662 if (retry_cnt < 4) 752 if (retry_cnt < 4)
663 send_auth_request (si, true); 753 send_auth_request (dsi, true);
664 else 754 else
665 send_ping (si, 0); 755 send_ping (dsi, 0);
666 } 756 }
667 } 757 }
668 else
669 vpn->connect_request (conf->id);
670 } 758 }
671} 759}
672 760
673void 761void
674connection::reset_connection () 762connection::reset_connection ()
712 reset_connection (); 800 reset_connection ();
713 establish_connection (); 801 establish_connection ();
714} 802}
715 803
716void 804void
717connection::send_data_packet (tap_packet *pkt, bool broadcast) 805connection::send_data_packet (tap_packet *pkt)
718{ 806{
719 vpndata_packet *p = new vpndata_packet; 807 vpndata_packet *p = new vpndata_packet;
720 int tos = 0; 808 int tos = 0;
721 809
722 if (conf->inherit_tos 810 // I am not hilarious about peeking into packets, but so be it.
723 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 811 if (conf->inherit_tos && pkt->is_ipv4 ())
724 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
725 tos = (*pkt)[15] & IPTOS_TOS_MASK; 812 tos = (*pkt)[15] & IPTOS_TOS_MASK;
726 813
727 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 814 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
728 vpn->send_vpn_packet (p, si, tos); 815 send_vpn_packet (p, si, tos);
729 816
730 delete p; 817 delete p;
731 818
732 if (oseqno > MAX_SEQNO) 819 if (oseqno > MAX_SEQNO)
733 rekey (); 820 rekey ();
734} 821}
735 822
736void 823void
737connection::inject_data_packet (tap_packet *pkt, bool broadcast) 824connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/)
738{ 825{
739 if (ictx && octx) 826 if (ictx && octx)
740 send_data_packet (pkt, broadcast); 827 send_data_packet (pkt);
741 else 828 else
742 { 829 {
743 if (!broadcast)//DDDD 830 if (!broadcast)//DDDD
744 queue.put (new tap_packet (*pkt)); 831 data_queue.put (new tap_packet (*pkt));
832
833 establish_connection ();
834 }
835}
836
837void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
838{
839 if (ictx && octx)
840 send_vpn_packet (pkt, si, tos);
841 else
842 {
843 vpn_queue.put (new vpn_packet (*pkt));
745 844
746 establish_connection (); 845 establish_connection ();
747 } 846 }
748} 847}
749 848
811 rsachallenge k; 910 rsachallenge k;
812 911
813 if (0 > RSA_private_decrypt (sizeof (p->encr), 912 if (0 > RSA_private_decrypt (sizeof (p->encr),
814 (unsigned char *)&p->encr, (unsigned char *)&k, 913 (unsigned char *)&p->encr, (unsigned char *)&k,
815 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 914 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
816 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 915 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
817 conf->nodename, (const char *)rsi); 916 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
818 else 917 else
819 { 918 {
820 retry_cnt = 0;
821 establish_connection.start (NOW + 8); //? ;)
822 keepalive.reset ();
823 rekey.reset ();
824
825 delete ictx;
826 ictx = 0;
827
828 delete octx; 919 delete octx;
829 920
830 octx = new crypto_ctx (k, 1); 921 octx = new crypto_ctx (k, 1);
831 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 922 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
832 923
833 conf->protocols = p->protocols; 924 conf->protocols = p->protocols;
925
834 send_auth_response (rsi, p->id, k); 926 send_auth_response (rsi, p->id, k);
927
928 connection_established ();
835 929
836 break; 930 break;
837 } 931 }
838 } 932 }
933 else
934 slog (L_WARN, _("%s(%s): protocol mismatch"),
935 conf->nodename, (const char *)rsi);
839 936
840 send_reset (rsi); 937 send_reset (rsi);
841 } 938 }
842 939
843 break; 940 break;
856 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 953 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
857 954
858 rsachallenge chg; 955 rsachallenge chg;
859 956
860 if (!rsa_cache.find (p->id, chg)) 957 if (!rsa_cache.find (p->id, chg))
958 {
861 slog (L_ERR, _("%s(%s): unrequested auth response"), 959 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
862 conf->nodename, (const char *)rsi); 960 conf->nodename, (const char *)rsi);
961 break;
962 }
863 else 963 else
864 { 964 {
865 crypto_ctx *cctx = new crypto_ctx (chg, 0); 965 crypto_ctx *cctx = new crypto_ctx (chg, 0);
866 966
867 if (!p->hmac_chk (cctx)) 967 if (!p->hmac_chk (cctx))
968 {
868 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 969 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
869 "could be an attack, or just corruption or an synchronization error"), 970 "could be an attack, or just corruption or an synchronization error"),
870 conf->nodename, (const char *)rsi); 971 conf->nodename, (const char *)rsi);
972 break;
973 }
871 else 974 else
872 { 975 {
873 rsaresponse h; 976 rsaresponse h;
874 977
875 rsa_hash (p->id, chg, h); 978 rsa_hash (p->id, chg, h);
883 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 986 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
884 987
885 si = rsi; 988 si = rsi;
886 protocol = rsi.prot; 989 protocol = rsi.prot;
887 990
888 rekey.start (NOW + ::conf.rekey); 991 connection_established ();
889 keepalive.start (NOW + ::conf.keepalive);
890
891 // send queued packets
892 while (tap_packet *p = queue.get ())
893 {
894 send_data_packet (p);
895 delete p;
896 }
897
898 connectmode = conf->connectmode;
899 992
900 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), 993 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
901 conf->nodename, (const char *)rsi, 994 conf->nodename, (const char *)rsi,
902 p->prot_major, p->prot_minor); 995 p->prot_major, p->prot_minor);
903 996
929 1022
930 if (ictx && octx) 1023 if (ictx && octx)
931 { 1024 {
932 vpndata_packet *p = (vpndata_packet *)pkt; 1025 vpndata_packet *p = (vpndata_packet *)pkt;
933 1026
934 if (rsi == si) 1027 if (!p->hmac_chk (ictx))
1028 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1029 "could be an attack, or just corruption or an synchronization error"),
1030 conf->nodename, (const char *)rsi);
1031 else
935 { 1032 {
936 if (!p->hmac_chk (ictx))
937 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
938 "could be an attack, or just corruption or an synchronization error"),
939 conf->nodename, (const char *)rsi);
940 else 1033 u32 seqno;
1034 tap_packet *d = p->unpack (this, seqno);
1035
1036 if (iseqno.recv_ok (seqno))
941 { 1037 {
942 u32 seqno; 1038 vpn->tap->send (d);
943 tap_packet *d = p->unpack (this, seqno);
944 1039
945 if (iseqno.recv_ok (seqno)) 1040 if (si != rsi)
946 { 1041 {
947 vpn->tap->send (d); 1042 // fast re-sync on connection changes, useful especially for tcp/ip
948
949 if (p->dst () == 0) // re-broadcast
950 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
951 {
952 connection *c = *i;
953
954 if (c->conf != THISNODE && c->conf != conf)
955 c->inject_data_packet (d);
956 }
957
958 delete d;
959
960 break; 1043 si = rsi;
1044
1045 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1046 conf->nodename, (const char *)si, (const char *)rsi);
961 } 1047 }
1048
1049 delete d;
1050
1051 break;
962 } 1052 }
963 } 1053 }
964 else
965 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
966 } 1054 }
967 1055
968 send_reset (rsi); 1056 send_reset (rsi);
969 break; 1057 break;
970 1058
985 // send connect_info packets to both sides, in case one is 1073 // send connect_info packets to both sides, in case one is
986 // behind a nat firewall (or both ;) 1074 // behind a nat firewall (or both ;)
987 c->send_connect_info (conf->id, si, conf->protocols); 1075 c->send_connect_info (conf->id, si, conf->protocols);
988 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1076 send_connect_info (c->conf->id, c->si, c->conf->protocols);
989 } 1077 }
1078 else
1079 c->establish_connection ();
990 } 1080 }
991 1081
992 break; 1082 break;
993 1083
994 case vpn_packet::PT_CONNECT_INFO: 1084 case vpn_packet::PT_CONNECT_INFO:
1004 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1094 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1005 p->si.upgrade_protocol (protocol, c->conf); 1095 p->si.upgrade_protocol (protocol, c->conf);
1006 1096
1007 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1097 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1008 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1098 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1009 //slog (L_ERR, "%d PROTOCL(C%x,T%x,0S%x,S%x,P%x,SP%x)",
1010 // p->id, c->conf->protocols, THISNODE->protocols, p->si.supported_protocols(0), p->si.supported_protocols (c->conf),
1011 // protocol, p->si.prot);
1012 1099
1100 const sockinfo &dsi = forward_si (p->si);
1101
1102 if (dsi.valid ())
1013 c->send_auth_request (p->si, true); 1103 c->send_auth_request (dsi, true);
1014 } 1104 }
1015 1105
1016 break; 1106 break;
1017 1107
1018 default: 1108 default:
1034 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1124 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1035 { 1125 {
1036 send_ping (si); 1126 send_ping (si);
1037 w.at = NOW + 5; 1127 w.at = NOW + 5;
1038 } 1128 }
1129 else if (NOW < last_activity + ::conf.keepalive + 10)
1130 // hold ondemand connections implicitly a few seconds longer
1131 // should delete octx, though, or something like that ;)
1132 w.at = last_activity + ::conf.keepalive + 10;
1039 else 1133 else
1040 reset_connection (); 1134 reset_connection ();
1041} 1135}
1042 1136
1043void connection::connect_request (int id) 1137void connection::send_connect_request (int id)
1044{ 1138{
1045 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1139 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1046 1140
1047 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1141 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1048 p->hmac_set (octx); 1142 p->hmac_set (octx);
1049 vpn->send_vpn_packet (p, si); 1143 send_vpn_packet (p, si);
1050 1144
1051 delete p; 1145 delete p;
1052} 1146}
1053 1147
1054void connection::script_node () 1148void connection::script_node ()

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines