ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.44 by pcg, Fri Mar 4 08:15:04 2005 UTC vs.
Revision 1.83 by pcg, Mon Sep 1 05:31:29 2008 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2005 Marc Lehmann <gvpe@schmorp.de> 3 Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de>
4 4
5 This file is part of GVPE. 5 This file is part of GVPE.
6 6
7 GVPE is free software; you can redistribute it and/or modify 7 GVPE is free software; you can redistribute it and/or modify it
8 it under the terms of the GNU General Public License as published by 8 under the terms of the GNU General Public License as published by the
9 the Free Software Foundation; either version 2 of the License, or 9 Free Software Foundation; either version 3 of the License, or (at your
10 (at your option) any later version. 10 option) any later version.
11 11
12 This program is distributed in the hope that it will be useful, 12 This program is distributed in the hope that it will be useful, but
13 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15 GNU General Public License for more details. 15 Public License for more details.
16 16
17 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License along
18 along with gvpe; if not, write to the Free Software 18 with this program; if not, see <http://www.gnu.org/licenses/>.
19 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19
20 Additional permission under GNU GPL version 3 section 7
21
22 If you modify this Program, or any covered work, by linking or
23 combining it with the OpenSSL project's OpenSSL library (or a modified
24 version of that library), containing parts covered by the terms of the
25 OpenSSL or SSLeay licenses, the licensors of this Program grant you
26 additional permission to convey the resulting work. Corresponding
27 Source for a non-source form of such a combination shall include the
28 source code for the parts of OpenSSL used as well as that of the
29 covered work.
20*/ 30*/
21 31
22#include "config.h" 32#include "config.h"
23 33
24#include <cassert>
25
26#include <list> 34#include <list>
35#include <queue>
36#include <utility>
27 37
28#include <openssl/rand.h> 38#include <openssl/rand.h>
29#include <openssl/evp.h> 39#include <openssl/evp.h>
30#include <openssl/rsa.h> 40#include <openssl/rsa.h>
31#include <openssl/err.h> 41#include <openssl/err.h>
32
33#include "gettext.h"
34 42
35#include "conf.h" 43#include "conf.h"
36#include "slog.h" 44#include "slog.h"
37#include "device.h" 45#include "device.h"
38#include "vpn.h" 46#include "vpn.h"
49#define ULTRA_FAST 1 57#define ULTRA_FAST 1
50#define HLOG 15 58#define HLOG 15
51#include "lzf/lzf.h" 59#include "lzf/lzf.h"
52#include "lzf/lzf_c.c" 60#include "lzf/lzf_c.c"
53#include "lzf/lzf_d.c" 61#include "lzf/lzf_d.c"
62
63//////////////////////////////////////////////////////////////////////////////
64
65static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
66static ev::child rs_child_ev;
67
68void // c++ requires external linkage here, apparently :(
69rs_child_cb (ev::child &w, int revents)
70{
71 w.stop ();
72
73 if (rs_queue.empty ())
74 return;
75
76 pid_t pid = run_script (*rs_queue.front ().first, false);
77 if (pid)
78 {
79 w.set (pid);
80 w.start ();
81 }
82 else
83 slog (L_WARN, rs_queue.front ().second);
84
85 delete rs_queue.front ().first;
86 rs_queue.pop ();
87}
88
89// despite the fancy name, this is quite a hack
90static void
91run_script_queued (run_script_cb *cb, const char *warnmsg)
92{
93 rs_queue.push (std::make_pair (cb, warnmsg));
94
95 if (!rs_child_ev.is_active ())
96 {
97 rs_child_ev.set<rs_child_cb> ();
98 rs_child_ev ();
99 }
100}
101
102//////////////////////////////////////////////////////////////////////////////
54 103
55struct crypto_ctx 104struct crypto_ctx
56{ 105{
57 EVP_CIPHER_CTX cctx; 106 EVP_CIPHER_CTX cctx;
58 HMAC_CTX hctx; 107 HMAC_CTX hctx;
86 require (EVP_DigestUpdate(&ctx, &id, sizeof id)); 135 require (EVP_DigestUpdate(&ctx, &id, sizeof id));
87 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0)); 136 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
88 EVP_MD_CTX_cleanup (&ctx); 137 EVP_MD_CTX_cleanup (&ctx);
89} 138}
90 139
91struct rsa_entry { 140struct rsa_entry
141{
92 tstamp expire; 142 tstamp expire;
93 rsaid id; 143 rsaid id;
94 rsachallenge chg; 144 rsachallenge chg;
95}; 145};
96 146
97struct rsa_cache : list<rsa_entry> 147struct rsa_cache : list<rsa_entry>
98{ 148{
99 void cleaner_cb (time_watcher &w); time_watcher cleaner; 149 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
100 150
101 bool find (const rsaid &id, rsachallenge &chg) 151 bool find (const rsaid &id, rsachallenge &chg)
102 { 152 {
103 for (iterator i = begin (); i != end (); ++i) 153 for (iterator i = begin (); i != end (); ++i)
104 { 154 {
105 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW) 155 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
106 { 156 {
107 memcpy (&chg, &i->chg, sizeof chg); 157 memcpy (&chg, &i->chg, sizeof chg);
108 158
109 erase (i); 159 erase (i);
110 return true; 160 return true;
111 } 161 }
112 } 162 }
113 163
114 if (cleaner.at < NOW) 164 if (!cleaner.is_active ())
115 cleaner.start (NOW + RSA_TTL); 165 cleaner.again ();
116 166
117 return false; 167 return false;
118 } 168 }
119 169
120 void gen (rsaid &id, rsachallenge &chg) 170 void gen (rsaid &id, rsachallenge &chg)
121 { 171 {
122 rsa_entry e; 172 rsa_entry e;
123 173
124 RAND_bytes ((unsigned char *)&id, sizeof id); 174 RAND_bytes ((unsigned char *)&id, sizeof id);
125 RAND_bytes ((unsigned char *)&chg, sizeof chg); 175 RAND_bytes ((unsigned char *)&chg, sizeof chg);
126 176
127 e.expire = NOW + RSA_TTL; 177 e.expire = ev_now () + RSA_TTL;
128 e.id = id; 178 e.id = id;
129 memcpy (&e.chg, &chg, sizeof chg); 179 memcpy (&e.chg, &chg, sizeof chg);
130 180
131 push_back (e); 181 push_back (e);
132 182
133 if (cleaner.at < NOW) 183 if (!cleaner.is_active ())
134 cleaner.start (NOW + RSA_TTL); 184 cleaner.again ();
135 } 185 }
136 186
137 rsa_cache () 187 rsa_cache ()
138 : cleaner (this, &rsa_cache::cleaner_cb) 188 {
139 { } 189 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
190 cleaner.set (RSA_TTL, RSA_TTL);
191 }
140 192
141} rsa_cache; 193} rsa_cache;
142 194
143void rsa_cache::cleaner_cb (time_watcher &w) 195void rsa_cache::cleaner_cb (ev::timer &w, int revents)
144{ 196{
145 if (!empty ()) 197 if (empty ())
198 w.stop ();
199 else
146 { 200 {
147 w.start (NOW + RSA_TTL);
148
149 for (iterator i = begin (); i != end (); ) 201 for (iterator i = begin (); i != end (); )
150 if (i->expire <= NOW) 202 if (i->expire <= ev_now ())
151 i = erase (i); 203 i = erase (i);
152 else 204 else
153 ++i; 205 ++i;
154 } 206 }
155} 207}
156 208
157////////////////////////////////////////////////////////////////////////////// 209//////////////////////////////////////////////////////////////////////////////
158 210
159void pkt_queue::put (net_packet *p) 211pkt_queue::pkt_queue (double max_ttl, int max_queue)
212: max_ttl (max_ttl), max_queue (max_queue)
160{ 213{
161 if (queue[i]) 214 queue = new pkt [max_queue];
162 {
163 delete queue[i];
164 j = (j + 1) % QUEUEDEPTH;
165 }
166 215
167 queue[i] = p;
168
169 i = (i + 1) % QUEUEDEPTH;
170}
171
172net_packet *pkt_queue::get ()
173{
174 net_packet *p = queue[j];
175
176 if (p)
177 {
178 queue[j] = 0;
179 j = (j + 1) % QUEUEDEPTH;
180 }
181
182 return p;
183}
184
185pkt_queue::pkt_queue ()
186{
187 memset (queue, 0, sizeof (queue));
188 i = 0; 216 i = 0;
189 j = 0; 217 j = 0;
218
219 expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
190} 220}
191 221
192pkt_queue::~pkt_queue () 222pkt_queue::~pkt_queue ()
193{ 223{
194 for (i = QUEUEDEPTH; --i > 0; ) 224 while (net_packet *p = get ())
225 delete p;
226
195 delete queue[i]; 227 delete [] queue;
196} 228}
197 229
230void pkt_queue::expire_cb (ev::timer &w, int revents)
231{
232 ev_tstamp expire = ev_now () - max_ttl;
233
234 for (;;)
235 {
236 if (empty ())
237 break;
238
239 double diff = queue[j].tstamp - expire;
240
241 if (diff >= 0.)
242 {
243 w.start (diff > 0.5 ? diff : 0.5);
244 break;
245 }
246
247 delete get ();
248 }
249}
250
251void pkt_queue::put (net_packet *p)
252{
253 ev_tstamp now = ev_now ();
254
255 // start expiry timer
256 if (empty ())
257 expire.start (max_ttl);
258
259 int ni = i + 1 == max_queue ? 0 : i + 1;
260
261 if (ni == j)
262 delete get ();
263
264 queue[i].pkt = p;
265 queue[i].tstamp = now;
266
267 i = ni;
268}
269
270net_packet *pkt_queue::get ()
271{
272 if (empty ())
273 return 0;
274
275 net_packet *p = queue[j].pkt;
276 queue[j].pkt = 0;
277
278 j = j + 1 == max_queue ? 0 : j + 1;
279
280 return p;
281}
282
198struct net_rateinfo { 283struct net_rateinfo
284{
199 u32 host; 285 u32 host;
200 double pcnt, diff; 286 double pcnt, diff;
201 tstamp last; 287 tstamp last;
202}; 288};
203 289
222 iterator i; 308 iterator i;
223 309
224 for (i = begin (); i != end (); ) 310 for (i = begin (); i != end (); )
225 if (i->host == host) 311 if (i->host == host)
226 break; 312 break;
227 else if (i->last < NOW - NRL_EXPIRE) 313 else if (i->last < ev_now () - NRL_EXPIRE)
228 i = erase (i); 314 i = erase (i);
229 else 315 else
230 i++; 316 i++;
231 317
232 if (i == end ()) 318 if (i == end ())
234 net_rateinfo ri; 320 net_rateinfo ri;
235 321
236 ri.host = host; 322 ri.host = host;
237 ri.pcnt = 1.; 323 ri.pcnt = 1.;
238 ri.diff = NRL_MAXDIF; 324 ri.diff = NRL_MAXDIF;
239 ri.last = NOW; 325 ri.last = ev_now ();
240 326
241 push_front (ri); 327 push_front (ri);
242 328
243 return true; 329 return true;
244 } 330 }
246 { 332 {
247 net_rateinfo ri (*i); 333 net_rateinfo ri (*i);
248 erase (i); 334 erase (i);
249 335
250 ri.pcnt = ri.pcnt * NRL_ALPHA; 336 ri.pcnt = ri.pcnt * NRL_ALPHA;
251 ri.diff = ri.diff * NRL_ALPHA + (NOW - ri.last); 337 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
252 338
253 ri.last = NOW; 339 ri.last = ev_now ();
254 340
255 double dif = ri.diff / ri.pcnt; 341 double dif = ri.diff / ri.pcnt;
256 342
257 bool send = dif > NRL_CUTOFF; 343 bool send = dif > NRL_CUTOFF;
258 344
468 f |= FEATURE_COMPRESSION; 554 f |= FEATURE_COMPRESSION;
469#endif 555#endif
470#if ENABLE_ROHC 556#if ENABLE_ROHC
471 f |= FEATURE_ROHC; 557 f |= FEATURE_ROHC;
472#endif 558#endif
559#if ENABLE_BRIDGING
560 f |= FEATURE_BRIDGING;
561#endif
473 return f; 562 return f;
474 } 563 }
475}; 564};
476 565
477void config_packet::setup (ptype type, int dst) 566void config_packet::setup (ptype type, int dst)
478{ 567{
479 prot_major = PROTOCOL_MAJOR; 568 prot_major = PROTOCOL_MAJOR;
480 prot_minor = PROTOCOL_MINOR; 569 prot_minor = PROTOCOL_MINOR;
481 randsize = RAND_SIZE; 570 randsize = RAND_SIZE;
482 hmaclen = HMACLENGTH; 571 hmaclen = HMACLENGTH;
483 flags = ENABLE_COMPRESSION ? 0x81 : 0x80; 572 flags = 0;
484 challengelen = sizeof (rsachallenge); 573 challengelen = sizeof (rsachallenge);
485 features = get_features (); 574 features = get_features ();
486 575
487 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 576 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
488 digest_nid = htonl (EVP_MD_type (RSA_HASH)); 577 digest_nid = htonl (EVP_MD_type (RSA_HASH));
498 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR); 587 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
499 else if (randsize != RAND_SIZE) 588 else if (randsize != RAND_SIZE)
500 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE); 589 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
501 else if (hmaclen != HMACLENGTH) 590 else if (hmaclen != HMACLENGTH)
502 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH); 591 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
503#if 0 // this implementation should handle all flag settings
504 else if (flags != curflags ())
505 slog (L_WARN, _("flag mismatch (remote %x <=> local %x)"), flags, curflags ());
506#endif
507 else if (challengelen != sizeof (rsachallenge)) 592 else if (challengelen != sizeof (rsachallenge))
508 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge)); 593 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
509 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER))) 594 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
510 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER)); 595 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
511 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH))) 596 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
587///////////////////////////////////////////////////////////////////////////// 672/////////////////////////////////////////////////////////////////////////////
588 673
589void 674void
590connection::connection_established () 675connection::connection_established ()
591{ 676{
677 slog (L_NOISE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
678
592 if (ictx && octx) 679 if (ictx && octx)
593 { 680 {
594 connectmode = conf->connectmode;
595
596 // make sure rekeying timeouts are slightly asymmetric 681 // make sure rekeying timeouts are slightly asymmetric
597 rekey.start (NOW + ::conf.rekey 682 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
598 + (conf->id > THISNODE->id ? 10 : 0)); 683 rekey.start (rekey_interval, rekey_interval);
599 keepalive.start (NOW + ::conf.keepalive); 684 keepalive.start (::conf.keepalive);
600 685
601 // send queued packets 686 // send queued packets
602 if (ictx && octx) 687 if (ictx && octx)
603 { 688 {
604 while (tap_packet *p = (tap_packet *)data_queue.get ()) 689 while (tap_packet *p = (tap_packet *)data_queue.get ())
605 { 690 {
606 send_data_packet (p); 691 if (p->len) send_data_packet (p);
607 delete p; 692 delete p;
608 } 693 }
609 694
610 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ()) 695 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
611 { 696 {
612 send_vpn_packet (p, si, IPTOS_RELIABILITY); 697 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
613 delete p; 698 delete p;
614 } 699 }
615 } 700 }
701
702 vpn->connection_established (this);
616 } 703 }
617 else 704 else
618 { 705 {
619 retry_cnt = 0; 706 retry_cnt = 0;
620 establish_connection.start (NOW + 5); 707 establish_connection.start (5);
621 keepalive.stop (); 708 keepalive.stop ();
622 rekey.stop (); 709 rekey.stop ();
623 } 710 }
624} 711}
625 712
626void 713void
627connection::reset_si () 714connection::reset_si ()
628{ 715{
716 if (vpn->can_direct (THISNODE, conf))
629 protocol = best_protocol (THISNODE->protocols & conf->protocols); 717 protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
630 718 else
631 // mask out protocols we cannot establish 719 {
632 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 720 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
633 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 721 protocol = 0;
634 if (!conf->dns_port) protocol &= ~PROT_DNSv4; 722 }
635 723
636 si.set (conf, protocol); 724 si.set (conf, protocol);
725
726 is_direct = si.valid ();
637} 727}
638 728
639// ensure sockinfo is valid, forward if necessary 729// ensure sockinfo is valid, forward if necessary
640const sockinfo & 730const sockinfo &
641connection::forward_si (const sockinfo &si) const 731connection::forward_si (const sockinfo &si) const
642{ 732{
643 if (!si.valid ()) 733 if (!si.valid ())
644 { 734 {
645 connection *r = vpn->find_router (); 735 connection *r = vpn->find_router_for (this);
646 736
647 if (r) 737 if (r)
648 { 738 {
649 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"), 739 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
650 conf->nodename, r->conf->nodename); 740 conf->nodename, r->conf->nodename);
651 return r->si; 741 return r->si;
652 } 742 }
653 else 743 else
654 slog (L_DEBUG, _("%s: node unreachable, no common protocol"), 744 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
655 conf->nodename); 745 conf->nodename);
656 } 746 }
657 747
658 return si; 748 return si;
659} 749}
660 750
661void 751void
662connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos) 752connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
663{ 753{
664 bool ok; 754 if (!vpn->send_vpn_packet (pkt, si, tos))
665
666 switch (si.prot)
667 {
668 case PROT_IPv4:
669 ok = vpn->send_ipv4_packet (pkt, si, tos); break;
670 case PROT_UDPv4:
671 ok = vpn->send_udpv4_packet (pkt, si, tos); break;
672#if ENABLE_TCP
673 case PROT_TCPv4:
674 ok = vpn->send_tcpv4_packet (pkt, si, tos); break;
675#endif
676#if ENABLE_ICMP
677 case PROT_ICMPv4:
678 ok = vpn->send_icmpv4_packet (pkt, si, tos); break;
679#endif
680#if ENABLE_DNS
681 case PROT_DNSv4:
682 ok = send_dnsv4_packet (pkt, si, tos); break;
683#endif
684
685 default:
686 slog (L_CRIT, _("%s: FATAL: trying to send packet with unsupported protocol"), (const char *)si);
687 ok = false;
688 }
689
690 if (!ok)
691 reset_connection (); 755 reset_connection ();
692} 756}
693 757
694void 758void
695connection::send_ping (const sockinfo &si, u8 pong) 759connection::send_ping (const sockinfo &si, u8 pong)
696{ 760{
697 ping_packet *pkt = new ping_packet; 761 ping_packet *pkt = new ping_packet;
698 762
699 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 763 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
764
765 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
766
700 send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 767 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
701 768
702 delete pkt; 769 delete pkt;
703} 770}
704 771
723 790
724 rsachallenge chg; 791 rsachallenge chg;
725 rsa_cache.gen (pkt->id, chg); 792 rsa_cache.gen (pkt->id, chg);
726 rsa_encrypt (conf->rsa_key, chg, pkt->encr); 793 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
727 794
728 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 795 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
729 796
730 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly 797 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
731 798
732 delete pkt; 799 delete pkt;
733} 800}
741 808
742 rsa_hash (id, chg, pkt->response); 809 rsa_hash (id, chg, pkt->response);
743 810
744 pkt->hmac_set (octx); 811 pkt->hmac_set (octx);
745 812
746 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 813 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
747 814
748 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 815 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
749 816
750 delete pkt; 817 delete pkt;
751} 818}
752 819
753void 820void
754connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 821connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
755{ 822{
756 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 823 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s)", conf->nodename,
757 conf->id, rid, (const char *)rsi); 824 vpn->conns[rid - 1]->conf->nodename, (const char *)rsi);
758 825
759 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 826 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
760 827
761 r->hmac_set (octx); 828 r->hmac_set (octx);
762 send_vpn_packet (r, si); 829 send_vpn_packet (r, si);
763 830
764 delete r; 831 delete r;
765} 832}
766 833
767void 834inline void
768connection::establish_connection_cb (time_watcher &w) 835connection::establish_connection_cb (ev::timer &w, int revents)
769{ 836{
770 if (!ictx 837 if (!ictx
771 && conf != THISNODE 838 && conf != THISNODE
772 && connectmode != conf_node::C_NEVER 839 && connectmode != conf_node::C_NEVER
773 && connectmode != conf_node::C_DISABLED 840 && connectmode != conf_node::C_DISABLED
774 && NOW > w.at) 841 && !w.is_active ())
775 { 842 {
776 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 843 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
777 844 // and stop trying. should probably be handled by a per-connection expire handler.
778 if (retry_int < conf->max_retry) 845 if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
846 {
847 reset_connection ();
779 retry_cnt++; 848 return;
780 else 849 }
781 retry_int = conf->max_retry;
782 850
783 w.start (NOW + retry_int); 851 last_establish_attempt = ev_now ();
852
853 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
854 ? (retry_cnt & 3) + 1
855 : 1 << (retry_cnt >> 2));
784 856
785 reset_si (); 857 reset_si ();
786 858
787 if (si.prot && !si.host) 859 bool slow = si.prot & PROT_SLOW;
860
861 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
862 {
863 /*TODO*/ /* start the timer so we don't recurse endlessly */
864 w.start (1);
788 vpn->send_connect_request (conf->id); 865 vpn->send_connect_request (this);
866 }
789 else 867 else
790 { 868 {
869 if (si.valid ())
870 slog (L_DEBUG, _("%s: sending direct connection request to %s."),
871 conf->nodename, (const char *)si);
872
791 const sockinfo &dsi = forward_si (si); 873 const sockinfo &dsi = forward_si (si);
874
875 slow = slow || (dsi.prot & PROT_SLOW);
792 876
793 if (dsi.valid () && auth_rate_limiter.can (dsi)) 877 if (dsi.valid () && auth_rate_limiter.can (dsi))
794 { 878 {
795 if (retry_cnt < 4) 879 if (retry_cnt < 4)
796 send_auth_request (dsi, true); 880 send_auth_request (dsi, true);
797 else 881 else
798 send_ping (dsi, 0); 882 send_ping (dsi, 0);
799 } 883 }
800 } 884 }
885
886 retry_int *= slow ? 8. : 0.9;
887
888 if (retry_int < conf->max_retry)
889 retry_cnt++;
890 else
891 retry_int = conf->max_retry;
892
893 w.start (retry_int);
801 } 894 }
802} 895}
803 896
804void 897void
805connection::reset_connection () 898connection::reset_connection ()
808 { 901 {
809 slog (L_INFO, _("%s(%s): connection lost"), 902 slog (L_INFO, _("%s(%s): connection lost"),
810 conf->nodename, (const char *)si); 903 conf->nodename, (const char *)si);
811 904
812 if (::conf.script_node_down) 905 if (::conf.script_node_down)
813 run_script (run_script_cb (this, &connection::script_node_down), false); 906 {
907 run_script_cb *cb = new run_script_cb;
908 cb->set<connection, &connection::script_node_down> (this);
909 run_script_queued (cb, _("node-down command execution failed, continuing."));
910 }
814 } 911 }
815 912
816 delete ictx; ictx = 0; 913 delete ictx; ictx = 0;
817 delete octx; octx = 0; 914 delete octx; octx = 0;
818#if ENABLE_DNS 915#if ENABLE_DNS
819 delete dns; dns = 0; 916 dnsv4_reset_connection ();
820#endif 917#endif
821 918
822 si.host = 0; 919 si.host = 0;
823 920
824 last_activity = 0; 921 last_activity = 0.;
922 //last_si_change = 0.;
825 retry_cnt = 0; 923 retry_cnt = 0;
826 924
827 rekey.stop (); 925 rekey.stop ();
828 keepalive.stop (); 926 keepalive.stop ();
829 establish_connection.stop (); 927 establish_connection.stop ();
836 send_reset (si); 934 send_reset (si);
837 935
838 reset_connection (); 936 reset_connection ();
839} 937}
840 938
841void 939// poor-man's rekeying
842connection::rekey_cb (time_watcher &w) 940inline void
941connection::rekey_cb (ev::timer &w, int revents)
843{ 942{
844 reset_connection (); 943 reset_connection ();
845 establish_connection (); 944 establish_connection ();
846} 945}
847 946
863 if (oseqno > MAX_SEQNO) 962 if (oseqno > MAX_SEQNO)
864 rekey (); 963 rekey ();
865} 964}
866 965
867void 966void
967connection::post_inject_queue ()
968{
969 // force a connection every now and when when packets are sent (max 1/s)
970 if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
971 establish_connection.stop ();
972
973 establish_connection ();
974}
975
976void
868connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/) 977connection::inject_data_packet (tap_packet *pkt)
869{ 978{
870 if (ictx && octx) 979 if (ictx && octx)
871 send_data_packet (pkt); 980 send_data_packet (pkt);
872 else 981 else
873 { 982 {
874 if (!broadcast)//DDDD
875 data_queue.put (new tap_packet (*pkt)); 983 data_queue.put (new tap_packet (*pkt));
876 984 post_inject_queue ();
877 establish_connection ();
878 } 985 }
879} 986}
880 987
881void connection::inject_vpn_packet (vpn_packet *pkt, int tos) 988void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
882{ 989{
883 if (ictx && octx) 990 if (ictx && octx)
884 send_vpn_packet (pkt, si, tos); 991 send_vpn_packet (pkt, si, tos);
885 else 992 else
886 { 993 {
887 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt)); 994 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
888 995 post_inject_queue ();
889 establish_connection ();
890 } 996 }
891} 997}
892 998
893void 999void
894connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 1000connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
895{ 1001{
896 last_activity = NOW; 1002 last_activity = ev_now ();
897 1003
898 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 1004 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
899 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 1005 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1006
1007 if (connectmode == conf_node::C_DISABLED)
1008 return;
900 1009
901 switch (pkt->typ ()) 1010 switch (pkt->typ ())
902 { 1011 {
903 case vpn_packet::PT_PING: 1012 case vpn_packet::PT_PING:
1013 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1014
904 // we send pings instead of auth packets after some retries, 1015 // we send pings instead of auth packets after some retries,
905 // so reset the retry counter and establish a connection 1016 // so reset the retry counter and establish a connection
906 // when we receive a ping. 1017 // when we receive a ping.
907 if (!ictx) 1018 if (!ictx)
908 { 1019 {
909 if (auth_rate_limiter.can (rsi)) 1020 if (auth_rate_limiter.can (rsi))
910 send_auth_request (rsi, true); 1021 send_auth_request (rsi, true);
911 } 1022 }
912 else 1023 else
1024 // we would love to change thre socket address here, but ping's aren't
1025 // authenticated, so we best ignore it.
913 send_ping (rsi, 1); // pong 1026 send_ping (rsi, 1); // pong
914 1027
915 break; 1028 break;
916 1029
917 case vpn_packet::PT_PONG: 1030 case vpn_packet::PT_PONG:
1031 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
918 break; 1032 break;
919 1033
920 case vpn_packet::PT_RESET: 1034 case vpn_packet::PT_RESET:
921 { 1035 {
922 reset_connection (); 1036 reset_connection ();
923 1037
924 config_packet *p = (config_packet *) pkt; 1038 config_packet *p = (config_packet *) pkt;
925 1039
926 if (!p->chk_config ()) 1040 if (!p->chk_config ())
927 { 1041 {
928 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"), 1042 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
929 conf->nodename, (const char *)rsi); 1043 conf->nodename, (const char *)rsi);
930 connectmode = conf_node::C_DISABLED; 1044 connectmode = conf_node::C_DISABLED;
931 } 1045 }
932 else if (connectmode == conf_node::C_ALWAYS) 1046 else if (connectmode == conf_node::C_ALWAYS)
933 establish_connection (); 1047 establish_connection ();
937 case vpn_packet::PT_AUTH_REQ: 1051 case vpn_packet::PT_AUTH_REQ:
938 if (auth_rate_limiter.can (rsi)) 1052 if (auth_rate_limiter.can (rsi))
939 { 1053 {
940 auth_req_packet *p = (auth_req_packet *) pkt; 1054 auth_req_packet *p = (auth_req_packet *) pkt;
941 1055
942 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); 1056 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s)", conf->nodename, p->initiate ? "initiate" : "reply");
943 1057
944 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) 1058 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
945 { 1059 {
946 if (p->prot_minor != PROTOCOL_MINOR) 1060 if (p->prot_minor != PROTOCOL_MINOR)
947 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 1061 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
964 delete octx; 1078 delete octx;
965 1079
966 octx = new crypto_ctx (k, 1); 1080 octx = new crypto_ctx (k, 1);
967 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 1081 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
968 1082
969 // compatibility code, remove when no longer required
970 if (p->flags & 1) p->features |= FEATURE_COMPRESSION;
971
972 conf->protocols = p->protocols; 1083 conf->protocols = p->protocols;
973 features = p->features & config_packet::get_features (); 1084 features = p->features & config_packet::get_features ();
974 1085
975 send_auth_response (rsi, p->id, k); 1086 send_auth_response (rsi, p->id, k);
976 1087
978 1089
979 break; 1090 break;
980 } 1091 }
981 } 1092 }
982 else 1093 else
983 slog (L_WARN, _("%s(%s): protocol mismatch"), 1094 slog (L_WARN, _("%s(%s): protocol mismatch."),
984 conf->nodename, (const char *)rsi); 1095 conf->nodename, (const char *)rsi);
985 1096
986 send_reset (rsi); 1097 send_reset (rsi);
987 } 1098 }
988 1099
989 break; 1100 break;
990 1101
991 case vpn_packet::PT_AUTH_RES: 1102 case vpn_packet::PT_AUTH_RES:
992 { 1103 {
993 auth_res_packet *p = (auth_res_packet *) pkt; 1104 auth_res_packet *p = (auth_res_packet *)pkt;
994 1105
995 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); 1106 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
996 1107
997 if (p->chk_config ()) 1108 if (p->chk_config ())
998 { 1109 {
999 if (p->prot_minor != PROTOCOL_MINOR) 1110 if (p->prot_minor != PROTOCOL_MINOR)
1000 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 1111 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1003 1114
1004 rsachallenge chg; 1115 rsachallenge chg;
1005 1116
1006 if (!rsa_cache.find (p->id, chg)) 1117 if (!rsa_cache.find (p->id, chg))
1007 { 1118 {
1008 slog (L_ERR, _("%s(%s): unrequested auth response ignored"), 1119 slog (L_ERR, _("%s(%s): unrequested auth response, ignoring."),
1009 conf->nodename, (const char *)rsi); 1120 conf->nodename, (const char *)rsi);
1010 break; 1121 break;
1011 } 1122 }
1012 else 1123 else
1013 { 1124 {
1014 crypto_ctx *cctx = new crypto_ctx (chg, 0); 1125 crypto_ctx *cctx = new crypto_ctx (chg, 0);
1015 1126
1016 if (!p->hmac_chk (cctx)) 1127 if (!p->hmac_chk (cctx))
1017 { 1128 {
1018 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 1129 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1019 "could be an attack, or just corruption or a synchronization error"), 1130 "could be an attack, or just corruption or a synchronization error."),
1020 conf->nodename, (const char *)rsi); 1131 conf->nodename, (const char *)rsi);
1021 break; 1132 break;
1022 } 1133 }
1023 else 1134 else
1024 { 1135 {
1035 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 1146 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1036 1147
1037 si = rsi; 1148 si = rsi;
1038 protocol = rsi.prot; 1149 protocol = rsi.prot;
1039 1150
1151 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
1152 conf->nodename, (const char *)rsi,
1153 is_direct ? "direct" : "forwarded",
1154 p->prot_major, p->prot_minor);
1155
1040 connection_established (); 1156 connection_established ();
1041 1157
1042 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
1043 conf->nodename, (const char *)rsi,
1044 p->prot_major, p->prot_minor);
1045
1046 if (::conf.script_node_up) 1158 if (::conf.script_node_up)
1047 run_script (run_script_cb (this, &connection::script_node_up), false); 1159 {
1160 run_script_cb *cb = new run_script_cb;
1161 cb->set<connection, &connection::script_node_up> (this);
1162 run_script_queued (cb, _("node-up command execution failed, continuing."));
1163 }
1048 1164
1049 break; 1165 break;
1050 } 1166 }
1051 else 1167 else
1052 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1168 slog (L_ERR, _("%s(%s): sent and received challenge do not match."),
1053 conf->nodename, (const char *)rsi); 1169 conf->nodename, (const char *)rsi);
1054 } 1170 }
1055 1171
1056 delete cctx; 1172 delete cctx;
1057 } 1173 }
1073 { 1189 {
1074 vpndata_packet *p = (vpndata_packet *)pkt; 1190 vpndata_packet *p = (vpndata_packet *)pkt;
1075 1191
1076 if (!p->hmac_chk (ictx)) 1192 if (!p->hmac_chk (ictx))
1077 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n" 1193 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1078 "could be an attack, or just corruption or a synchronization error"), 1194 "could be an attack, or just corruption or a synchronization error."),
1079 conf->nodename, (const char *)rsi); 1195 conf->nodename, (const char *)rsi);
1080 else 1196 else
1081 { 1197 {
1082 u32 seqno; 1198 u32 seqno;
1083 tap_packet *d = p->unpack (this, seqno); 1199 tap_packet *d = p->unpack (this, seqno);
1200 int seqclass = iseqno.seqno_classify (seqno);
1084 1201
1085 if (iseqno.recv_ok (seqno)) 1202 if (seqclass == 0) // ok
1086 { 1203 {
1087 vpn->tap->send (d); 1204 vpn->tap->send (d);
1088 1205
1089 if (si != rsi) 1206 if (si != rsi)
1090 { 1207 {
1091 // fast re-sync on connection changes, useful especially for tcp/ip 1208 // fast re-sync on source address changes, useful especially for tcp/ip
1209 //if (last_si_change < ev_now () + 5.)
1092 si = rsi; 1210 // {
1093
1094 slog (L_INFO, _("%s(%s): socket address changed to %s"), 1211 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1095 conf->nodename, (const char *)si, (const char *)rsi); 1212 conf->nodename, (const char *)si, (const char *)rsi);
1213
1214 si = rsi;
1215 // }
1216 //else
1217 // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1218 // conf->nodename, (const char *)si, (const char *)rsi);
1096 } 1219 }
1220 }
1221 else if (seqclass == 1) // far history
1222 slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1223 "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1224 else if (seqclass == 2) // in-window duplicate, happens often on wireless
1225 slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1226 "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1227 else if (seqclass == 3) // reset
1228 {
1229 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1230 "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1231 send_reset (rsi);
1097 } 1232 }
1098 1233
1099 delete d; 1234 delete d;
1100 break; 1235 break;
1101 } 1236 }
1107 case vpn_packet::PT_CONNECT_REQ: 1242 case vpn_packet::PT_CONNECT_REQ:
1108 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1243 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1109 { 1244 {
1110 connect_req_packet *p = (connect_req_packet *) pkt; 1245 connect_req_packet *p = (connect_req_packet *) pkt;
1111 1246
1112 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1247 if (p->id > 0 && p->id <= vpn->conns.size ())
1113 connection *c = vpn->conns[p->id - 1];
1114 conf->protocols = p->protocols;
1115
1116 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1117 conf->id, p->id, c->ictx && c->octx);
1118
1119 if (c->ictx && c->octx)
1120 { 1248 {
1249 connection *c = vpn->conns[p->id - 1];
1250 conf->protocols = p->protocols;
1251
1252 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s) [%d]",
1253 conf->nodename, vpn->conns[p->id - 1]->conf->nodename, c->ictx && c->octx);
1254
1255 if (c->ictx && c->octx)
1256 {
1121 // send connect_info packets to both sides, in case one is 1257 // send connect_info packets to both sides, in case one is
1122 // behind a nat firewall (or both ;) 1258 // behind a nat firewall (or both ;)
1123 c->send_connect_info (conf->id, si, conf->protocols); 1259 c->send_connect_info (conf->id, si, conf->protocols);
1124 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1260 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1261 }
1262 else
1263 c->establish_connection ();
1125 } 1264 }
1126 else 1265 else
1127 c->establish_connection (); 1266 slog (L_WARN,
1267 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1268 p->id);
1128 } 1269 }
1129 1270
1130 break; 1271 break;
1131 1272
1132 case vpn_packet::PT_CONNECT_INFO: 1273 case vpn_packet::PT_CONNECT_INFO:
1133 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1274 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1134 { 1275 {
1135 connect_info_packet *p = (connect_info_packet *)pkt; 1276 connect_info_packet *p = (connect_info_packet *)pkt;
1136 1277
1137 if (p->id > 0 && p->id <= vpn->conns.size ()) // hmac-auth does not mean we accept anything 1278 if (p->id > 0 && p->id <= vpn->conns.size ())
1138 { 1279 {
1139 connection *c = vpn->conns[p->id - 1]; 1280 connection *c = vpn->conns[p->id - 1];
1140 1281
1141 c->conf->protocols = p->protocols; 1282 c->conf->protocols = p->protocols;
1142 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1283 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1143 p->si.upgrade_protocol (protocol, c->conf); 1284 p->si.upgrade_protocol (protocol, c->conf);
1144 1285
1145 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1286 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s) [%d]",
1287 conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1146 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1288 (const char *)p->si, !c->ictx && !c->octx);
1147 1289
1148 const sockinfo &dsi = forward_si (p->si); 1290 const sockinfo &dsi = forward_si (p->si);
1149 1291
1150 if (dsi.valid ()) 1292 if (dsi.valid ())
1151 c->send_auth_request (dsi, true); 1293 c->send_auth_request (dsi, true);
1152 } 1294 }
1295 else
1296 slog (L_WARN,
1297 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1298 p->id);
1153 } 1299 }
1154 1300
1155 break; 1301 break;
1156 1302
1157 default: 1303 default:
1158 send_reset (rsi); 1304 send_reset (rsi);
1159 break; 1305 break;
1160 } 1306 }
1161} 1307}
1162 1308
1163void connection::keepalive_cb (time_watcher &w) 1309inline void
1310connection::keepalive_cb (ev::timer &w, int revents)
1164{ 1311{
1165 if (NOW >= last_activity + ::conf.keepalive + 30) 1312 if (ev_now () >= last_activity + ::conf.keepalive + 15)
1166 { 1313 {
1167 reset_connection (); 1314 reset_connection ();
1168 establish_connection (); 1315 establish_connection ();
1169 } 1316 }
1170 else if (NOW < last_activity + ::conf.keepalive) 1317 else if (ev_now () < last_activity + ::conf.keepalive)
1171 w.start (last_activity + ::conf.keepalive); 1318 w.start (last_activity + ::conf.keepalive - ev::now ());
1172 else if (conf->connectmode != conf_node::C_ONDEMAND 1319 else if (conf->connectmode != conf_node::C_ONDEMAND
1173 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1320 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1174 { 1321 {
1175 send_ping (si); 1322 send_ping (si);
1176 w.start (NOW + 5); 1323 w.start (3);
1177 } 1324 }
1178 else if (NOW < last_activity + ::conf.keepalive + 10) 1325 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1179 // hold ondemand connections implicitly a few seconds longer 1326 // hold ondemand connections implicitly a few seconds longer
1180 // should delete octx, though, or something like that ;) 1327 // should delete octx, though, or something like that ;)
1181 w.start (last_activity + ::conf.keepalive + 10); 1328 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1182 else 1329 else
1183 reset_connection (); 1330 reset_connection ();
1184} 1331}
1185 1332
1186void connection::send_connect_request (int id) 1333void connection::send_connect_request (int id)
1187{ 1334{
1188 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1335 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1189 1336
1190 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1337 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s)",
1338 conf->nodename, vpn->conns[id - 1]->conf->nodename);
1191 p->hmac_set (octx); 1339 p->hmac_set (octx);
1192 send_vpn_packet (p, si); 1340 send_vpn_packet (p, si);
1193 1341
1194 delete p; 1342 delete p;
1195} 1343}
1196 1344
1345void connection::script_init_env (const char *ext)
1346{
1347 char *env;
1348 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1349 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1350 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1351 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1352 conf->id & 0xff); putenv (env);
1353}
1354
1197void connection::script_node () 1355void connection::script_init_connect_env ()
1198{ 1356{
1199 vpn->script_if_up (); 1357 vpn->script_init_env ();
1200 1358
1201 char *env; 1359 char *env;
1202 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1360 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1203 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1361 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1204 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1362 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1205 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1363 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1206} 1364}
1207 1365
1366inline const char *
1208const char *connection::script_node_up () 1367connection::script_node_up ()
1209{ 1368{
1210 script_node (); 1369 script_init_connect_env ();
1211 1370
1212 putenv ("STATE=up"); 1371 putenv ((char *)"STATE=up");
1213 1372
1373 char *filename;
1374 asprintf (&filename,
1375 "%s/%s",
1376 confbase,
1214 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1377 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1215}
1216 1378
1379 return filename;
1380}
1381
1382inline const char *
1217const char *connection::script_node_down () 1383connection::script_node_down ()
1218{ 1384{
1219 script_node (); 1385 script_init_connect_env ();
1220 1386
1221 putenv ("STATE=down"); 1387 putenv ((char *)"STATE=down");
1222 1388
1223 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1389 char *filename;
1390 asprintf (&filename,
1391 "%s/%s",
1392 confbase,
1393 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1394
1395 return filename;
1224} 1396}
1225 1397
1226connection::connection (struct vpn *vpn, conf_node *conf) 1398connection::connection (struct vpn *vpn, conf_node *conf)
1227: vpn(vpn), conf(conf) 1399: vpn(vpn), conf(conf),
1228, rekey (this, &connection::rekey_cb)
1229, keepalive (this, &connection::keepalive_cb)
1230, establish_connection (this, &connection::establish_connection_cb)
1231#if ENABLE_DNS 1400#if ENABLE_DNS
1232, dns (0) 1401 dns (0),
1233#endif 1402#endif
1403 data_queue(conf->max_ttl, conf->max_queue + 1),
1404 vpn_queue(conf->max_ttl, conf->max_queue + 1)
1234{ 1405{
1406 rekey .set<connection, &connection::rekey_cb > (this);
1407 keepalive .set<connection, &connection::keepalive_cb > (this);
1408 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1409
1410 last_establish_attempt = 0.;
1235 octx = ictx = 0; 1411 octx = ictx = 0;
1236 retry_cnt = 0;
1237 1412
1238 if (!conf->protocols) // make sure some protocol is enabled 1413 if (!conf->protocols) // make sure some protocol is enabled
1239 conf->protocols = PROT_UDPv4; 1414 conf->protocols = PROT_UDPv4;
1240 1415
1241 connectmode = conf_node::C_ALWAYS; // initial setting 1416 connectmode = conf->connectmode;
1417
1418 // queue a dummy packet to force an initial connection attempt
1419 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1420 vpn_queue.put (new net_packet);
1421
1242 reset_connection (); 1422 reset_connection ();
1243} 1423}
1244 1424
1245connection::~connection () 1425connection::~connection ()
1246{ 1426{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines