ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.40 by pcg, Tue Mar 1 06:27:20 2005 UTC vs.
Revision 1.82 by pcg, Fri Aug 15 18:35:24 2008 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2004 Marc Lehmann <pcg@goof.com> 3 Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de>
4 4
5 This file is part of GVPE.
6
5 This program is free software; you can redistribute it and/or modify 7 GVPE is free software; you can redistribute it and/or modify it
6 it under the terms of the GNU General Public License as published by 8 under the terms of the GNU General Public License as published by the
7 the Free Software Foundation; either version 2 of the License, or 9 Free Software Foundation; either version 3 of the License, or (at your
8 (at your option) any later version. 10 option) any later version.
9 11
10 This program is distributed in the hope that it will be useful, 12 This program is distributed in the hope that it will be useful, but
11 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
13 GNU General Public License for more details. 15 Public License for more details.
14 16
15 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License along
16 along with this program; if not, write to the Free Software 18 with this program; if not, see <http://www.gnu.org/licenses/>.
17 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19
20 Additional permission under GNU GPL version 3 section 7
21
22 If you modify this Program, or any covered work, by linking or
23 combining it with the OpenSSL project's OpenSSL library (or a modified
24 version of that library), containing parts covered by the terms of the
25 OpenSSL or SSLeay licenses, the licensors of this Program grant you
26 additional permission to convey the resulting work. Corresponding
27 Source for a non-source form of such a combination shall include the
28 source code for the parts of OpenSSL used as well as that of the
29 covered work.
18*/ 30*/
19 31
20#include "config.h" 32#include "config.h"
21 33
22#include <cassert>
23
24#include <list> 34#include <list>
35#include <queue>
36#include <utility>
25 37
26#include <openssl/rand.h> 38#include <openssl/rand.h>
27#include <openssl/evp.h> 39#include <openssl/evp.h>
28#include <openssl/rsa.h> 40#include <openssl/rsa.h>
29#include <openssl/err.h> 41#include <openssl/err.h>
30
31#include "gettext.h"
32 42
33#include "conf.h" 43#include "conf.h"
34#include "slog.h" 44#include "slog.h"
35#include "device.h" 45#include "device.h"
36#include "vpn.h" 46#include "vpn.h"
47#define ULTRA_FAST 1 57#define ULTRA_FAST 1
48#define HLOG 15 58#define HLOG 15
49#include "lzf/lzf.h" 59#include "lzf/lzf.h"
50#include "lzf/lzf_c.c" 60#include "lzf/lzf_c.c"
51#include "lzf/lzf_d.c" 61#include "lzf/lzf_d.c"
62
63//////////////////////////////////////////////////////////////////////////////
64
65static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
66static ev::child rs_child_ev;
67
68void // c++ requires external linkage here, apparently :(
69rs_child_cb (ev::child &w, int revents)
70{
71 w.stop ();
72
73 if (rs_queue.empty ())
74 return;
75
76 pid_t pid = run_script (*rs_queue.front ().first, false);
77 if (pid)
78 {
79 w.set (pid);
80 w.start ();
81 }
82 else
83 slog (L_WARN, rs_queue.front ().second);
84
85 delete rs_queue.front ().first;
86 rs_queue.pop ();
87}
88
89// despite the fancy name, this is quite a hack
90static void
91run_script_queued (run_script_cb *cb, const char *warnmsg)
92{
93 rs_queue.push (std::make_pair (cb, warnmsg));
94
95 if (!rs_child_ev.is_active ())
96 {
97 rs_child_ev.set<rs_child_cb> ();
98 rs_child_ev ();
99 }
100}
101
102//////////////////////////////////////////////////////////////////////////////
52 103
53struct crypto_ctx 104struct crypto_ctx
54{ 105{
55 EVP_CIPHER_CTX cctx; 106 EVP_CIPHER_CTX cctx;
56 HMAC_CTX hctx; 107 HMAC_CTX hctx;
84 require (EVP_DigestUpdate(&ctx, &id, sizeof id)); 135 require (EVP_DigestUpdate(&ctx, &id, sizeof id));
85 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0)); 136 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
86 EVP_MD_CTX_cleanup (&ctx); 137 EVP_MD_CTX_cleanup (&ctx);
87} 138}
88 139
89struct rsa_entry { 140struct rsa_entry
141{
90 tstamp expire; 142 tstamp expire;
91 rsaid id; 143 rsaid id;
92 rsachallenge chg; 144 rsachallenge chg;
93}; 145};
94 146
95struct rsa_cache : list<rsa_entry> 147struct rsa_cache : list<rsa_entry>
96{ 148{
97 void cleaner_cb (time_watcher &w); time_watcher cleaner; 149 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
98 150
99 bool find (const rsaid &id, rsachallenge &chg) 151 bool find (const rsaid &id, rsachallenge &chg)
100 { 152 {
101 for (iterator i = begin (); i != end (); ++i) 153 for (iterator i = begin (); i != end (); ++i)
102 { 154 {
103 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW) 155 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
104 { 156 {
105 memcpy (&chg, &i->chg, sizeof chg); 157 memcpy (&chg, &i->chg, sizeof chg);
106 158
107 erase (i); 159 erase (i);
108 return true; 160 return true;
109 } 161 }
110 } 162 }
111 163
112 if (cleaner.at < NOW) 164 if (!cleaner.is_active ())
113 cleaner.start (NOW + RSA_TTL); 165 cleaner.again ();
114 166
115 return false; 167 return false;
116 } 168 }
117 169
118 void gen (rsaid &id, rsachallenge &chg) 170 void gen (rsaid &id, rsachallenge &chg)
119 { 171 {
120 rsa_entry e; 172 rsa_entry e;
121 173
122 RAND_bytes ((unsigned char *)&id, sizeof id); 174 RAND_bytes ((unsigned char *)&id, sizeof id);
123 RAND_bytes ((unsigned char *)&chg, sizeof chg); 175 RAND_bytes ((unsigned char *)&chg, sizeof chg);
124 176
125 e.expire = NOW + RSA_TTL; 177 e.expire = ev_now () + RSA_TTL;
126 e.id = id; 178 e.id = id;
127 memcpy (&e.chg, &chg, sizeof chg); 179 memcpy (&e.chg, &chg, sizeof chg);
128 180
129 push_back (e); 181 push_back (e);
130 182
131 if (cleaner.at < NOW) 183 if (!cleaner.is_active ())
132 cleaner.start (NOW + RSA_TTL); 184 cleaner.again ();
133 } 185 }
134 186
135 rsa_cache () 187 rsa_cache ()
136 : cleaner (this, &rsa_cache::cleaner_cb) 188 {
137 { } 189 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
190 cleaner.set (RSA_TTL, RSA_TTL);
191 }
138 192
139} rsa_cache; 193} rsa_cache;
140 194
141void rsa_cache::cleaner_cb (time_watcher &w) 195void rsa_cache::cleaner_cb (ev::timer &w, int revents)
142{ 196{
143 if (!empty ()) 197 if (empty ())
198 w.stop ();
199 else
144 { 200 {
145 w.start (NOW + RSA_TTL);
146
147 for (iterator i = begin (); i != end (); ) 201 for (iterator i = begin (); i != end (); )
148 if (i->expire <= NOW) 202 if (i->expire <= ev_now ())
149 i = erase (i); 203 i = erase (i);
150 else 204 else
151 ++i; 205 ++i;
152 } 206 }
153} 207}
154 208
155////////////////////////////////////////////////////////////////////////////// 209//////////////////////////////////////////////////////////////////////////////
156 210
157void pkt_queue::put (net_packet *p) 211pkt_queue::pkt_queue (double max_ttl, int max_queue)
212: max_ttl (max_ttl), max_queue (max_queue)
158{ 213{
159 if (queue[i]) 214 queue = new pkt [max_queue];
160 {
161 delete queue[i];
162 j = (j + 1) % QUEUEDEPTH;
163 }
164 215
165 queue[i] = p;
166
167 i = (i + 1) % QUEUEDEPTH;
168}
169
170net_packet *pkt_queue::get ()
171{
172 net_packet *p = queue[j];
173
174 if (p)
175 {
176 queue[j] = 0;
177 j = (j + 1) % QUEUEDEPTH;
178 }
179
180 return p;
181}
182
183pkt_queue::pkt_queue ()
184{
185 memset (queue, 0, sizeof (queue));
186 i = 0; 216 i = 0;
187 j = 0; 217 j = 0;
218
219 expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
188} 220}
189 221
190pkt_queue::~pkt_queue () 222pkt_queue::~pkt_queue ()
191{ 223{
192 for (i = QUEUEDEPTH; --i > 0; ) 224 while (net_packet *p = get ())
225 delete p;
226
193 delete queue[i]; 227 delete [] queue;
194} 228}
195 229
230void pkt_queue::expire_cb (ev::timer &w, int revents)
231{
232 ev_tstamp expire = ev_now () - max_ttl;
233
234 for (;;)
235 {
236 if (empty ())
237 break;
238
239 double diff = queue[j].tstamp - expire;
240
241 if (diff >= 0.)
242 {
243 w.start (diff > 0.5 ? diff : 0.5);
244 break;
245 }
246
247 delete get ();
248 }
249}
250
251void pkt_queue::put (net_packet *p)
252{
253 ev_tstamp now = ev_now ();
254
255 // start expiry timer
256 if (empty ())
257 expire.start (max_ttl);
258
259 int ni = i + 1 == max_queue ? 0 : i + 1;
260
261 if (ni == j)
262 delete get ();
263
264 queue[i].pkt = p;
265 queue[i].tstamp = now;
266
267 i = ni;
268}
269
270net_packet *pkt_queue::get ()
271{
272 if (empty ())
273 return 0;
274
275 net_packet *p = queue[j].pkt;
276 queue[j].pkt = 0;
277
278 j = j + 1 == max_queue ? 0 : j + 1;
279
280 return p;
281}
282
196struct net_rateinfo { 283struct net_rateinfo
284{
197 u32 host; 285 u32 host;
198 double pcnt, diff; 286 double pcnt, diff;
199 tstamp last; 287 tstamp last;
200}; 288};
201 289
220 iterator i; 308 iterator i;
221 309
222 for (i = begin (); i != end (); ) 310 for (i = begin (); i != end (); )
223 if (i->host == host) 311 if (i->host == host)
224 break; 312 break;
225 else if (i->last < NOW - NRL_EXPIRE) 313 else if (i->last < ev_now () - NRL_EXPIRE)
226 i = erase (i); 314 i = erase (i);
227 else 315 else
228 i++; 316 i++;
229 317
230 if (i == end ()) 318 if (i == end ())
232 net_rateinfo ri; 320 net_rateinfo ri;
233 321
234 ri.host = host; 322 ri.host = host;
235 ri.pcnt = 1.; 323 ri.pcnt = 1.;
236 ri.diff = NRL_MAXDIF; 324 ri.diff = NRL_MAXDIF;
237 ri.last = NOW; 325 ri.last = ev_now ();
238 326
239 push_front (ri); 327 push_front (ri);
240 328
241 return true; 329 return true;
242 } 330 }
244 { 332 {
245 net_rateinfo ri (*i); 333 net_rateinfo ri (*i);
246 erase (i); 334 erase (i);
247 335
248 ri.pcnt = ri.pcnt * NRL_ALPHA; 336 ri.pcnt = ri.pcnt * NRL_ALPHA;
249 ri.diff = ri.diff * NRL_ALPHA + (NOW - ri.last); 337 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
250 338
251 ri.last = NOW; 339 ri.last = ev_now ();
252 340
253 double dif = ri.diff / ri.pcnt; 341 double dif = ri.diff / ri.pcnt;
254 342
255 bool send = dif > NRL_CUTOFF; 343 bool send = dif > NRL_CUTOFF;
256 344
466 f |= FEATURE_COMPRESSION; 554 f |= FEATURE_COMPRESSION;
467#endif 555#endif
468#if ENABLE_ROHC 556#if ENABLE_ROHC
469 f |= FEATURE_ROHC; 557 f |= FEATURE_ROHC;
470#endif 558#endif
559#if ENABLE_BRIDGING
560 f |= FEATURE_BRIDGING;
561#endif
471 return f; 562 return f;
472 } 563 }
473}; 564};
474 565
475void config_packet::setup (ptype type, int dst) 566void config_packet::setup (ptype type, int dst)
476{ 567{
477 prot_major = PROTOCOL_MAJOR; 568 prot_major = PROTOCOL_MAJOR;
478 prot_minor = PROTOCOL_MINOR; 569 prot_minor = PROTOCOL_MINOR;
479 randsize = RAND_SIZE; 570 randsize = RAND_SIZE;
480 hmaclen = HMACLENGTH; 571 hmaclen = HMACLENGTH;
481 flags = ENABLE_COMPRESSION ? 0x81 : 0x80; 572 flags = 0;
482 challengelen = sizeof (rsachallenge); 573 challengelen = sizeof (rsachallenge);
483 features = get_features (); 574 features = get_features ();
484 575
485 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 576 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
486 digest_nid = htonl (EVP_MD_type (RSA_HASH)); 577 digest_nid = htonl (EVP_MD_type (RSA_HASH));
496 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR); 587 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
497 else if (randsize != RAND_SIZE) 588 else if (randsize != RAND_SIZE)
498 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE); 589 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
499 else if (hmaclen != HMACLENGTH) 590 else if (hmaclen != HMACLENGTH)
500 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH); 591 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
501#if 0 // this implementation should handle all flag settings
502 else if (flags != curflags ())
503 slog (L_WARN, _("flag mismatch (remote %x <=> local %x)"), flags, curflags ());
504#endif
505 else if (challengelen != sizeof (rsachallenge)) 592 else if (challengelen != sizeof (rsachallenge))
506 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge)); 593 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
507 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER))) 594 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
508 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER)); 595 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
509 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH))) 596 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
585///////////////////////////////////////////////////////////////////////////// 672/////////////////////////////////////////////////////////////////////////////
586 673
587void 674void
588connection::connection_established () 675connection::connection_established ()
589{ 676{
677 slog (L_NOISE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
678
590 if (ictx && octx) 679 if (ictx && octx)
591 { 680 {
592 connectmode = conf->connectmode;
593
594 // make sure rekeying timeouts are slightly asymmetric 681 // make sure rekeying timeouts are slightly asymmetric
595 rekey.start (NOW + ::conf.rekey 682 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
596 + (conf->id > THISNODE->id ? 10 : 0)); 683 rekey.start (rekey_interval, rekey_interval);
597 keepalive.start (NOW + ::conf.keepalive); 684 keepalive.start (::conf.keepalive);
598 685
599 // send queued packets 686 // send queued packets
600 if (ictx && octx) 687 if (ictx && octx)
601 { 688 {
602 while (tap_packet *p = (tap_packet *)data_queue.get ()) 689 while (tap_packet *p = (tap_packet *)data_queue.get ())
603 { 690 {
604 send_data_packet (p); 691 if (p->len) send_data_packet (p);
605 delete p; 692 delete p;
606 } 693 }
607 694
608 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ()) 695 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
609 { 696 {
610 send_vpn_packet (p, si, IPTOS_RELIABILITY); 697 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
611 delete p; 698 delete p;
612 } 699 }
613 } 700 }
701
702 vpn->connection_established (this);
614 } 703 }
615 else 704 else
616 { 705 {
617 retry_cnt = 0; 706 retry_cnt = 0;
618 establish_connection.start (NOW + 5); 707 establish_connection.start (5);
619 keepalive.stop (); 708 keepalive.stop ();
620 rekey.stop (); 709 rekey.stop ();
621 } 710 }
622} 711}
623 712
624void 713void
625connection::reset_si () 714connection::reset_si ()
626{ 715{
716 if (vpn->can_direct (THISNODE, conf))
627 protocol = best_protocol (THISNODE->protocols & conf->protocols); 717 protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
628 718 else
629 // mask out protocols we cannot establish 719 {
630 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 720 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
631 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 721 protocol = 0;
632 if (!conf->dns_port) protocol &= ~PROT_DNSv4; 722 }
633 723
634 si.set (conf, protocol); 724 si.set (conf, protocol);
725
726 is_direct = si.valid ();
635} 727}
636 728
637// ensure sockinfo is valid, forward if necessary 729// ensure sockinfo is valid, forward if necessary
638const sockinfo & 730const sockinfo &
639connection::forward_si (const sockinfo &si) const 731connection::forward_si (const sockinfo &si) const
640{ 732{
641 if (!si.valid ()) 733 if (!si.valid ())
642 { 734 {
643 connection *r = vpn->find_router (); 735 connection *r = vpn->find_router_for (this);
644 736
645 if (r) 737 if (r)
646 { 738 {
647 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"), 739 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
648 conf->nodename, r->conf->nodename); 740 conf->nodename, r->conf->nodename);
649 return r->si; 741 return r->si;
650 } 742 }
651 else 743 else
652 slog (L_DEBUG, _("%s: node unreachable, no common protocol"), 744 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
653 conf->nodename); 745 conf->nodename);
654 } 746 }
655 747
656 return si; 748 return si;
657} 749}
658 750
659void 751void
660connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos) 752connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
661{ 753{
662 bool ok; 754 if (!vpn->send_vpn_packet (pkt, si, tos))
663
664 switch (si.prot)
665 {
666 case PROT_IPv4:
667 ok = vpn->send_ipv4_packet (pkt, si, tos); break;
668 case PROT_UDPv4:
669 ok = vpn->send_udpv4_packet (pkt, si, tos); break;
670#if ENABLE_TCP
671 case PROT_TCPv4:
672 ok = vpn->send_tcpv4_packet (pkt, si, tos); break;
673#endif
674#if ENABLE_ICMP
675 case PROT_ICMPv4:
676 ok = vpn->send_icmpv4_packet (pkt, si, tos); break;
677#endif
678#if ENABLE_DNS
679 case PROT_DNSv4:
680 ok = send_dnsv4_packet (pkt, si, tos); break;
681#endif
682
683 default:
684 slog (L_CRIT, _("%s: FATAL: trying to send packet with unsupported protocol"), (const char *)si);
685 ok = false;
686 }
687
688 if (!ok)
689 reset_connection (); 755 reset_connection ();
690} 756}
691 757
692void 758void
693connection::send_ping (const sockinfo &si, u8 pong) 759connection::send_ping (const sockinfo &si, u8 pong)
694{ 760{
695 ping_packet *pkt = new ping_packet; 761 ping_packet *pkt = new ping_packet;
696 762
697 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 763 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
764
765 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
766
698 send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 767 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
699 768
700 delete pkt; 769 delete pkt;
701} 770}
702 771
721 790
722 rsachallenge chg; 791 rsachallenge chg;
723 rsa_cache.gen (pkt->id, chg); 792 rsa_cache.gen (pkt->id, chg);
724 rsa_encrypt (conf->rsa_key, chg, pkt->encr); 793 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
725 794
726 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 795 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
727 796
728 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly 797 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
729 798
730 delete pkt; 799 delete pkt;
731} 800}
739 808
740 rsa_hash (id, chg, pkt->response); 809 rsa_hash (id, chg, pkt->response);
741 810
742 pkt->hmac_set (octx); 811 pkt->hmac_set (octx);
743 812
744 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 813 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
745 814
746 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 815 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
747 816
748 delete pkt; 817 delete pkt;
749} 818}
750 819
751void 820void
752connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 821connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
753{ 822{
754 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 823 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s)", conf->nodename,
755 conf->id, rid, (const char *)rsi); 824 vpn->conns[rid - 1]->conf->nodename, (const char *)rsi);
756 825
757 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 826 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
758 827
759 r->hmac_set (octx); 828 r->hmac_set (octx);
760 send_vpn_packet (r, si); 829 send_vpn_packet (r, si);
761 830
762 delete r; 831 delete r;
763} 832}
764 833
765void 834inline void
766connection::establish_connection_cb (time_watcher &w) 835connection::establish_connection_cb (ev::timer &w, int revents)
767{ 836{
768 if (!ictx 837 if (!ictx
769 && conf != THISNODE 838 && conf != THISNODE
770 && connectmode != conf_node::C_NEVER 839 && connectmode != conf_node::C_NEVER
771 && connectmode != conf_node::C_DISABLED 840 && connectmode != conf_node::C_DISABLED
772 && NOW > w.at) 841 && !w.is_active ())
773 { 842 {
774 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 843 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
775 844 // and stop trying. should probably be handled by a per-connection expire handler.
776 if (retry_int < conf->max_retry) 845 if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
846 {
847 reset_connection ();
777 retry_cnt++; 848 return;
778 else 849 }
779 retry_int = conf->max_retry;
780 850
781 w.start (NOW + retry_int); 851 last_establish_attempt = ev_now ();
852
853 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
854 ? (retry_cnt & 3) + 1
855 : 1 << (retry_cnt >> 2));
782 856
783 reset_si (); 857 reset_si ();
784 858
785 if (si.prot && !si.host) 859 bool slow = si.prot & PROT_SLOW;
860
861 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
862 {
863 /*TODO*/ /* start the timer so we don't recurse endlessly */
864 w.start (1);
786 vpn->send_connect_request (conf->id); 865 vpn->send_connect_request (this);
866 }
787 else 867 else
788 { 868 {
869 if (si.valid ())
870 slog (L_DEBUG, _("%s: sending direct connection request to %s."),
871 conf->nodename, (const char *)si);
872
789 const sockinfo &dsi = forward_si (si); 873 const sockinfo &dsi = forward_si (si);
874
875 slow = slow || (dsi.prot & PROT_SLOW);
790 876
791 if (dsi.valid () && auth_rate_limiter.can (dsi)) 877 if (dsi.valid () && auth_rate_limiter.can (dsi))
792 { 878 {
793 if (retry_cnt < 4) 879 if (retry_cnt < 4)
794 send_auth_request (dsi, true); 880 send_auth_request (dsi, true);
795 else 881 else
796 send_ping (dsi, 0); 882 send_ping (dsi, 0);
797 } 883 }
798 } 884 }
885
886 retry_int *= slow ? 8. : 0.9;
887
888 if (retry_int < conf->max_retry)
889 retry_cnt++;
890 else
891 retry_int = conf->max_retry;
892
893 w.start (retry_int);
799 } 894 }
800} 895}
801 896
802void 897void
803connection::reset_connection () 898connection::reset_connection ()
806 { 901 {
807 slog (L_INFO, _("%s(%s): connection lost"), 902 slog (L_INFO, _("%s(%s): connection lost"),
808 conf->nodename, (const char *)si); 903 conf->nodename, (const char *)si);
809 904
810 if (::conf.script_node_down) 905 if (::conf.script_node_down)
811 run_script (run_script_cb (this, &connection::script_node_down), false); 906 {
907 run_script_cb *cb = new run_script_cb;
908 cb->set<connection, &connection::script_node_down> (this);
909 run_script_queued (cb, _("node-down command execution failed, continuing."));
910 }
812 } 911 }
813 912
814 delete ictx; ictx = 0; 913 delete ictx; ictx = 0;
815 delete octx; octx = 0; 914 delete octx; octx = 0;
915#if ENABLE_DNS
916 dnsv4_reset_connection ();
917#endif
816 918
817 si.host = 0; 919 si.host = 0;
818 920
819 last_activity = 0; 921 last_activity = 0.;
922 //last_si_change = 0.;
820 retry_cnt = 0; 923 retry_cnt = 0;
821 924
822 rekey.stop (); 925 rekey.stop ();
823 keepalive.stop (); 926 keepalive.stop ();
824 establish_connection.stop (); 927 establish_connection.stop ();
831 send_reset (si); 934 send_reset (si);
832 935
833 reset_connection (); 936 reset_connection ();
834} 937}
835 938
836void 939// poor-man's rekeying
837connection::rekey_cb (time_watcher &w) 940inline void
941connection::rekey_cb (ev::timer &w, int revents)
838{ 942{
839 reset_connection (); 943 reset_connection ();
840 establish_connection (); 944 establish_connection ();
841} 945}
842 946
858 if (oseqno > MAX_SEQNO) 962 if (oseqno > MAX_SEQNO)
859 rekey (); 963 rekey ();
860} 964}
861 965
862void 966void
967connection::post_inject_queue ()
968{
969 // force a connection every now and when when packets are sent (max 1/s)
970 if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
971 establish_connection.stop ();
972
973 establish_connection ();
974}
975
976void
863connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/) 977connection::inject_data_packet (tap_packet *pkt)
864{ 978{
865 if (ictx && octx) 979 if (ictx && octx)
866 send_data_packet (pkt); 980 send_data_packet (pkt);
867 else 981 else
868 { 982 {
869 if (!broadcast)//DDDD
870 data_queue.put (new tap_packet (*pkt)); 983 data_queue.put (new tap_packet (*pkt));
871 984 post_inject_queue ();
872 establish_connection ();
873 } 985 }
874} 986}
875 987
876void connection::inject_vpn_packet (vpn_packet *pkt, int tos) 988void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
877{ 989{
878 if (ictx && octx) 990 if (ictx && octx)
879 send_vpn_packet (pkt, si, tos); 991 send_vpn_packet (pkt, si, tos);
880 else 992 else
881 { 993 {
882 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt)); 994 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
883 995 post_inject_queue ();
884 establish_connection ();
885 } 996 }
886} 997}
887 998
888void 999void
889connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 1000connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
890{ 1001{
891 last_activity = NOW; 1002 last_activity = ev_now ();
892 1003
893 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 1004 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
894 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 1005 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1006
1007 if (connectmode == conf_node::C_DISABLED)
1008 return;
895 1009
896 switch (pkt->typ ()) 1010 switch (pkt->typ ())
897 { 1011 {
898 case vpn_packet::PT_PING: 1012 case vpn_packet::PT_PING:
1013 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1014
899 // we send pings instead of auth packets after some retries, 1015 // we send pings instead of auth packets after some retries,
900 // so reset the retry counter and establish a connection 1016 // so reset the retry counter and establish a connection
901 // when we receive a ping. 1017 // when we receive a ping.
902 if (!ictx) 1018 if (!ictx)
903 { 1019 {
904 if (auth_rate_limiter.can (rsi)) 1020 if (auth_rate_limiter.can (rsi))
905 send_auth_request (rsi, true); 1021 send_auth_request (rsi, true);
906 } 1022 }
907 else 1023 else
1024 // we would love to change thre socket address here, but ping's aren't
1025 // authenticated, so we best ignore it.
908 send_ping (rsi, 1); // pong 1026 send_ping (rsi, 1); // pong
909 1027
910 break; 1028 break;
911 1029
912 case vpn_packet::PT_PONG: 1030 case vpn_packet::PT_PONG:
1031 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
913 break; 1032 break;
914 1033
915 case vpn_packet::PT_RESET: 1034 case vpn_packet::PT_RESET:
916 { 1035 {
917 reset_connection (); 1036 reset_connection ();
918 1037
919 config_packet *p = (config_packet *) pkt; 1038 config_packet *p = (config_packet *) pkt;
920 1039
921 if (!p->chk_config ()) 1040 if (!p->chk_config ())
922 { 1041 {
923 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"), 1042 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
924 conf->nodename, (const char *)rsi); 1043 conf->nodename, (const char *)rsi);
925 connectmode = conf_node::C_DISABLED; 1044 connectmode = conf_node::C_DISABLED;
926 } 1045 }
927 else if (connectmode == conf_node::C_ALWAYS) 1046 else if (connectmode == conf_node::C_ALWAYS)
928 establish_connection (); 1047 establish_connection ();
932 case vpn_packet::PT_AUTH_REQ: 1051 case vpn_packet::PT_AUTH_REQ:
933 if (auth_rate_limiter.can (rsi)) 1052 if (auth_rate_limiter.can (rsi))
934 { 1053 {
935 auth_req_packet *p = (auth_req_packet *) pkt; 1054 auth_req_packet *p = (auth_req_packet *) pkt;
936 1055
937 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); 1056 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s)", conf->nodename, p->initiate ? "initiate" : "reply");
938 1057
939 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) 1058 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
940 { 1059 {
941 if (p->prot_minor != PROTOCOL_MINOR) 1060 if (p->prot_minor != PROTOCOL_MINOR)
942 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 1061 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
959 delete octx; 1078 delete octx;
960 1079
961 octx = new crypto_ctx (k, 1); 1080 octx = new crypto_ctx (k, 1);
962 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 1081 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
963 1082
964 // compatibility code, remove when no longer required
965 if (p->flags & 1) p->features |= FEATURE_COMPRESSION;
966
967 conf->protocols = p->protocols; 1083 conf->protocols = p->protocols;
968 features = p->features & config_packet::get_features (); 1084 features = p->features & config_packet::get_features ();
969 1085
970 send_auth_response (rsi, p->id, k); 1086 send_auth_response (rsi, p->id, k);
971 1087
973 1089
974 break; 1090 break;
975 } 1091 }
976 } 1092 }
977 else 1093 else
978 slog (L_WARN, _("%s(%s): protocol mismatch"), 1094 slog (L_WARN, _("%s(%s): protocol mismatch."),
979 conf->nodename, (const char *)rsi); 1095 conf->nodename, (const char *)rsi);
980 1096
981 send_reset (rsi); 1097 send_reset (rsi);
982 } 1098 }
983 1099
984 break; 1100 break;
985 1101
986 case vpn_packet::PT_AUTH_RES: 1102 case vpn_packet::PT_AUTH_RES:
987 { 1103 {
988 auth_res_packet *p = (auth_res_packet *) pkt; 1104 auth_res_packet *p = (auth_res_packet *)pkt;
989 1105
990 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); 1106 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
991 1107
992 if (p->chk_config ()) 1108 if (p->chk_config ())
993 { 1109 {
994 if (p->prot_minor != PROTOCOL_MINOR) 1110 if (p->prot_minor != PROTOCOL_MINOR)
995 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 1111 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
998 1114
999 rsachallenge chg; 1115 rsachallenge chg;
1000 1116
1001 if (!rsa_cache.find (p->id, chg)) 1117 if (!rsa_cache.find (p->id, chg))
1002 { 1118 {
1003 slog (L_ERR, _("%s(%s): unrequested auth response ignored"), 1119 slog (L_ERR, _("%s(%s): unrequested auth response, ignoring."),
1004 conf->nodename, (const char *)rsi); 1120 conf->nodename, (const char *)rsi);
1005 break; 1121 break;
1006 } 1122 }
1007 else 1123 else
1008 { 1124 {
1009 crypto_ctx *cctx = new crypto_ctx (chg, 0); 1125 crypto_ctx *cctx = new crypto_ctx (chg, 0);
1010 1126
1011 if (!p->hmac_chk (cctx)) 1127 if (!p->hmac_chk (cctx))
1012 { 1128 {
1013 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 1129 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1014 "could be an attack, or just corruption or a synchronization error"), 1130 "could be an attack, or just corruption or a synchronization error."),
1015 conf->nodename, (const char *)rsi); 1131 conf->nodename, (const char *)rsi);
1016 break; 1132 break;
1017 } 1133 }
1018 else 1134 else
1019 { 1135 {
1030 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 1146 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1031 1147
1032 si = rsi; 1148 si = rsi;
1033 protocol = rsi.prot; 1149 protocol = rsi.prot;
1034 1150
1151 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
1152 conf->nodename, (const char *)rsi,
1153 is_direct ? "direct" : "forwarded",
1154 p->prot_major, p->prot_minor);
1155
1035 connection_established (); 1156 connection_established ();
1036 1157
1037 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
1038 conf->nodename, (const char *)rsi,
1039 p->prot_major, p->prot_minor);
1040
1041 if (::conf.script_node_up) 1158 if (::conf.script_node_up)
1042 run_script (run_script_cb (this, &connection::script_node_up), false); 1159 {
1160 run_script_cb *cb = new run_script_cb;
1161 cb->set<connection, &connection::script_node_up> (this);
1162 run_script_queued (cb, _("node-up command execution failed, continuing."));
1163 }
1043 1164
1044 break; 1165 break;
1045 } 1166 }
1046 else 1167 else
1047 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1168 slog (L_ERR, _("%s(%s): sent and received challenge do not match."),
1048 conf->nodename, (const char *)rsi); 1169 conf->nodename, (const char *)rsi);
1049 } 1170 }
1050 1171
1051 delete cctx; 1172 delete cctx;
1052 } 1173 }
1068 { 1189 {
1069 vpndata_packet *p = (vpndata_packet *)pkt; 1190 vpndata_packet *p = (vpndata_packet *)pkt;
1070 1191
1071 if (!p->hmac_chk (ictx)) 1192 if (!p->hmac_chk (ictx))
1072 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n" 1193 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1073 "could be an attack, or just corruption or a synchronization error"), 1194 "could be an attack, or just corruption or a synchronization error."),
1074 conf->nodename, (const char *)rsi); 1195 conf->nodename, (const char *)rsi);
1075 else 1196 else
1076 { 1197 {
1077 u32 seqno; 1198 u32 seqno;
1078 tap_packet *d = p->unpack (this, seqno); 1199 tap_packet *d = p->unpack (this, seqno);
1200 int seqclass = iseqno.seqno_classify (seqno);
1079 1201
1080 if (iseqno.recv_ok (seqno)) 1202 if (seqclass == 0) // ok
1081 { 1203 {
1082 vpn->tap->send (d); 1204 vpn->tap->send (d);
1083 1205
1084 if (si != rsi) 1206 if (si != rsi)
1085 { 1207 {
1086 // fast re-sync on connection changes, useful especially for tcp/ip 1208 // fast re-sync on source address changes, useful especially for tcp/ip
1209 //if (last_si_change < ev_now () + 5.)
1087 si = rsi; 1210 // {
1088
1089 slog (L_INFO, _("%s(%s): socket address changed to %s"), 1211 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1090 conf->nodename, (const char *)si, (const char *)rsi); 1212 conf->nodename, (const char *)si, (const char *)rsi);
1213
1214 si = rsi;
1215 // }
1216 //else
1217 // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1218 // conf->nodename, (const char *)si, (const char *)rsi);
1091 } 1219 }
1220 }
1221 else if (seqclass == 1) // far history
1222 slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1223 "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1224 else if (seqclass == 2) // in-window duplicate, happens often on wireless
1225 slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1226 "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1227 else if (seqclass == 3) // reset
1228 {
1229 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1230 "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1231 send_reset (rsi);
1092 } 1232 }
1093 1233
1094 delete d; 1234 delete d;
1095 break; 1235 break;
1096 } 1236 }
1102 case vpn_packet::PT_CONNECT_REQ: 1242 case vpn_packet::PT_CONNECT_REQ:
1103 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1243 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1104 { 1244 {
1105 connect_req_packet *p = (connect_req_packet *) pkt; 1245 connect_req_packet *p = (connect_req_packet *) pkt;
1106 1246
1107 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1247 if (p->id > 0 && p->id <= vpn->conns.size ())
1108 connection *c = vpn->conns[p->id - 1];
1109 conf->protocols = p->protocols;
1110
1111 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1112 conf->id, p->id, c->ictx && c->octx);
1113
1114 if (c->ictx && c->octx)
1115 { 1248 {
1249 connection *c = vpn->conns[p->id - 1];
1250 conf->protocols = p->protocols;
1251
1252 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s) [%d]",
1253 conf->nodename, vpn->conns[p->id - 1]->conf->nodename, c->ictx && c->octx);
1254
1255 if (c->ictx && c->octx)
1256 {
1116 // send connect_info packets to both sides, in case one is 1257 // send connect_info packets to both sides, in case one is
1117 // behind a nat firewall (or both ;) 1258 // behind a nat firewall (or both ;)
1118 c->send_connect_info (conf->id, si, conf->protocols); 1259 c->send_connect_info (conf->id, si, conf->protocols);
1119 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1260 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1261 }
1262 else
1263 c->establish_connection ();
1120 } 1264 }
1121 else 1265 else
1122 c->establish_connection (); 1266 slog (L_WARN,
1267 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1268 p->id);
1123 } 1269 }
1124 1270
1125 break; 1271 break;
1126 1272
1127 case vpn_packet::PT_CONNECT_INFO: 1273 case vpn_packet::PT_CONNECT_INFO:
1128 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1274 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1129 { 1275 {
1130 connect_info_packet *p = (connect_info_packet *)pkt; 1276 connect_info_packet *p = (connect_info_packet *)pkt;
1131 1277
1132 if (p->id > 0 && p->id <= vpn->conns.size ()) // hmac-auth does not mean we accept anything 1278 if (p->id > 0 && p->id <= vpn->conns.size ())
1133 { 1279 {
1134 connection *c = vpn->conns[p->id - 1]; 1280 connection *c = vpn->conns[p->id - 1];
1135 1281
1136 c->conf->protocols = p->protocols; 1282 c->conf->protocols = p->protocols;
1137 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1283 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1138 p->si.upgrade_protocol (protocol, c->conf); 1284 p->si.upgrade_protocol (protocol, c->conf);
1139 1285
1140 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1286 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s) [%d]",
1287 conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1141 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1288 (const char *)p->si, !c->ictx && !c->octx);
1142 1289
1143 const sockinfo &dsi = forward_si (p->si); 1290 const sockinfo &dsi = forward_si (p->si);
1144 1291
1145 if (dsi.valid ()) 1292 if (dsi.valid ())
1146 c->send_auth_request (dsi, true); 1293 c->send_auth_request (dsi, true);
1147 } 1294 }
1295 else
1296 slog (L_WARN,
1297 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1298 p->id);
1148 } 1299 }
1149 1300
1150 break; 1301 break;
1151 1302
1152 default: 1303 default:
1153 send_reset (rsi); 1304 send_reset (rsi);
1154 break; 1305 break;
1155 } 1306 }
1156} 1307}
1157 1308
1158void connection::keepalive_cb (time_watcher &w) 1309inline void
1310connection::keepalive_cb (ev::timer &w, int revents)
1159{ 1311{
1160 if (NOW >= last_activity + ::conf.keepalive + 30) 1312 if (ev_now () >= last_activity + ::conf.keepalive + 30)
1161 { 1313 {
1162 reset_connection (); 1314 reset_connection ();
1163 establish_connection (); 1315 establish_connection ();
1164 } 1316 }
1165 else if (NOW < last_activity + ::conf.keepalive) 1317 else if (ev_now () < last_activity + ::conf.keepalive)
1166 w.start (last_activity + ::conf.keepalive); 1318 w.start (last_activity + ::conf.keepalive - ev::now ());
1167 else if (conf->connectmode != conf_node::C_ONDEMAND 1319 else if (conf->connectmode != conf_node::C_ONDEMAND
1168 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1320 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1169 { 1321 {
1170 send_ping (si); 1322 send_ping (si);
1171 w.start (NOW + 5); 1323 w.start (5);
1172 } 1324 }
1173 else if (NOW < last_activity + ::conf.keepalive + 10) 1325 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1174 // hold ondemand connections implicitly a few seconds longer 1326 // hold ondemand connections implicitly a few seconds longer
1175 // should delete octx, though, or something like that ;) 1327 // should delete octx, though, or something like that ;)
1176 w.start (last_activity + ::conf.keepalive + 10); 1328 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1177 else 1329 else
1178 reset_connection (); 1330 reset_connection ();
1179} 1331}
1180 1332
1181void connection::send_connect_request (int id) 1333void connection::send_connect_request (int id)
1182{ 1334{
1183 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1335 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1184 1336
1185 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1337 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s)",
1338 conf->nodename, vpn->conns[id - 1]->conf->nodename);
1186 p->hmac_set (octx); 1339 p->hmac_set (octx);
1187 send_vpn_packet (p, si); 1340 send_vpn_packet (p, si);
1188 1341
1189 delete p; 1342 delete p;
1190} 1343}
1191 1344
1345void connection::script_init_env (const char *ext)
1346{
1347 char *env;
1348 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1349 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1350 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1351 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1352 conf->id & 0xff); putenv (env);
1353}
1354
1192void connection::script_node () 1355void connection::script_init_connect_env ()
1193{ 1356{
1194 vpn->script_if_up (); 1357 vpn->script_init_env ();
1195 1358
1196 char *env; 1359 char *env;
1197 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1360 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1198 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1361 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1199 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1362 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1200 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1363 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1201} 1364}
1202 1365
1366inline const char *
1203const char *connection::script_node_up () 1367connection::script_node_up ()
1204{ 1368{
1205 script_node (); 1369 script_init_connect_env ();
1206 1370
1207 putenv ("STATE=up"); 1371 putenv ((char *)"STATE=up");
1208 1372
1373 char *filename;
1374 asprintf (&filename,
1375 "%s/%s",
1376 confbase,
1209 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1377 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1210}
1211 1378
1379 return filename;
1380}
1381
1382inline const char *
1212const char *connection::script_node_down () 1383connection::script_node_down ()
1213{ 1384{
1214 script_node (); 1385 script_init_connect_env ();
1215 1386
1216 putenv ("STATE=down"); 1387 putenv ((char *)"STATE=down");
1217 1388
1218 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1389 char *filename;
1390 asprintf (&filename,
1391 "%s/%s",
1392 confbase,
1393 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1394
1395 return filename;
1219} 1396}
1220 1397
1221connection::connection (struct vpn *vpn, conf_node *conf) 1398connection::connection (struct vpn *vpn, conf_node *conf)
1222: vpn(vpn), conf(conf) 1399: vpn(vpn), conf(conf),
1223, rekey (this, &connection::rekey_cb)
1224, keepalive (this, &connection::keepalive_cb)
1225, establish_connection (this, &connection::establish_connection_cb)
1226#if ENABLE_DNS 1400#if ENABLE_DNS
1227, dnsv4_tw (this, &connection::dnsv4_cb) 1401 dns (0),
1228#endif 1402#endif
1403 data_queue(conf->max_ttl, conf->max_queue + 1),
1404 vpn_queue(conf->max_ttl, conf->max_queue + 1)
1229{ 1405{
1406 rekey .set<connection, &connection::rekey_cb > (this);
1407 keepalive .set<connection, &connection::keepalive_cb > (this);
1408 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1409
1410 last_establish_attempt = 0.;
1230 octx = ictx = 0; 1411 octx = ictx = 0;
1231 retry_cnt = 0;
1232 1412
1233 if (!conf->protocols) // make sure some protocol is enabled 1413 if (!conf->protocols) // make sure some protocol is enabled
1234 conf->protocols = PROT_UDPv4; 1414 conf->protocols = PROT_UDPv4;
1235 1415
1236 connectmode = conf_node::C_ALWAYS; // initial setting 1416 connectmode = conf->connectmode;
1417
1418 // queue a dummy packet to force an initial connection attempt
1419 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1420 vpn_queue.put (new net_packet);
1421
1237 reset_connection (); 1422 reset_connection ();
1238} 1423}
1239 1424
1240connection::~connection () 1425connection::~connection ()
1241{ 1426{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines