--- gvpe/src/protocol.C 2003/03/02 23:04:02 1.2 +++ gvpe/src/protocol.C 2003/03/22 22:39:11 1.14 @@ -18,6 +18,8 @@ #include "config.h" +#include + #include #include #include @@ -62,17 +64,108 @@ challenge_bytes () { static rsachallenge challenge; - static time_t challenge_ttl; // time this challenge needs to be recreated + static double challenge_ttl; // time this challenge needs to be recreated - if (now > challenge_ttl) + if (NOW > challenge_ttl) { RAND_bytes ((unsigned char *)&challenge, sizeof (challenge)); - challenge_ttl = now + CHALLENGE_TTL; + challenge_ttl = NOW + CHALLENGE_TTL; } return challenge; } +// caching of rsa operations really helps slow computers +struct rsa_entry { + tstamp expire; + rsachallenge chg; + RSA *key; // which key + rsaencrdata encr; + + rsa_entry () + { + expire = NOW + CHALLENGE_TTL; + } +}; + +struct rsa_cache : list +{ + void cleaner_cb (tstamp &ts); time_watcher cleaner; + + const rsaencrdata *public_encrypt (RSA *key, const rsachallenge &chg) + { + for (iterator i = begin (); i != end (); ++i) + { + if (i->key == key && !memcmp (&chg, &i->chg, sizeof chg)) + return &i->encr; + } + + if (cleaner.at < NOW) + cleaner.start (NOW + CHALLENGE_TTL); + + resize (size () + 1); + rsa_entry *e = &(*rbegin ()); + + e->key = key; + memcpy (&e->chg, &chg, sizeof chg); + + if (0 > RSA_public_encrypt (sizeof chg, + (unsigned char *)&chg, (unsigned char *)&e->encr, + key, RSA_PKCS1_OAEP_PADDING)) + fatal ("RSA_public_encrypt error"); + + return &e->encr; + } + + const rsachallenge *private_decrypt (RSA *key, const rsaencrdata &encr) + { + for (iterator i = begin (); i != end (); ++i) + if (i->key == key && !memcmp (&encr, &i->encr, sizeof encr)) + return &i->chg; + + if (cleaner.at < NOW) + cleaner.start (NOW + CHALLENGE_TTL); + + resize (size () + 1); + rsa_entry *e = &(*rbegin ()); + + e->key = key; + memcpy (&e->encr, &encr, sizeof encr); + + if (0 > RSA_private_decrypt (sizeof encr, + (unsigned char *)&encr, (unsigned char *)&e->chg, + key, RSA_PKCS1_OAEP_PADDING)) + { + pop_back (); + return 0; + } + + return &e->chg; + } + + rsa_cache () + : cleaner (this, &rsa_cache::cleaner_cb) + { } + +} rsa_cache; + +void rsa_cache::cleaner_cb (tstamp &ts) +{ + if (empty ()) + ts = TSTAMP_CANCEL; + else + { + ts = NOW + 3; + for (iterator i = begin (); i != end (); ) + { + if (i->expire >= NOW) + i = erase (i); + else + ++i; + } + } +} + // run a script. yes, it's a template function. yes, c++ // is not a functional language. yes, this suxx. template @@ -114,11 +207,11 @@ EVP_CIPHER_CTX cctx; HMAC_CTX hctx; - crypto_ctx (rsachallenge &challenge, int enc); + crypto_ctx (const rsachallenge &challenge, int enc); ~crypto_ctx (); }; -crypto_ctx::crypto_ctx (rsachallenge &challenge, int enc) +crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc) { EVP_CIPHER_CTX_init (&cctx); EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); @@ -132,6 +225,93 @@ HMAC_CTX_cleanup (&hctx); } +////////////////////////////////////////////////////////////////////////////// + +void pkt_queue::put (tap_packet *p) +{ + if (queue[i]) + { + delete queue[i]; + j = (j + 1) % QUEUEDEPTH; + } + + queue[i] = p; + + i = (i + 1) % QUEUEDEPTH; +} + +tap_packet *pkt_queue::get () +{ + tap_packet *p = queue[j]; + + if (p) + { + queue[j] = 0; + j = (j + 1) % QUEUEDEPTH; + } + + return p; +} + +pkt_queue::pkt_queue () +{ + memset (queue, 0, sizeof (queue)); + i = 0; + j = 0; +} + +pkt_queue::~pkt_queue () +{ + for (i = QUEUEDEPTH; --i > 0; ) + delete queue[i]; +} + +// only do action once every x seconds per host. +// currently this is quite a slow implementation, +// but suffices for normal operation. +struct u32_rate_limiter : private map + { + tstamp every; + + bool can (u32 host); + + u32_rate_limiter (tstamp every = 1) + { + this->every = every; + } + }; + +struct net_rate_limiter : u32_rate_limiter + { + bool can (SOCKADDR *sa) { return u32_rate_limiter::can((u32)sa->sin_addr.s_addr); } + bool can (sockinfo &si) { return u32_rate_limiter::can((u32)si.host); } + + net_rate_limiter (tstamp every) : u32_rate_limiter (every) {} + }; + +bool u32_rate_limiter::can (u32 host) +{ + iterator i; + + for (i = begin (); i != end (); ) + if (i->second <= NOW) + { + erase (i); + i = begin (); + } + else + ++i; + + i = find (host); + + if (i != end ()) + return false; + + insert (value_type (host, NOW + every)); + + return true; +} + ///////////////////////////////////////////////////////////////////////////// static void next_wakeup (time_t next) @@ -202,10 +382,12 @@ { return src1 | ((srcdst >> 4) << 8); } + unsigned int dst () { return dst1 | ((srcdst & 0xf) << 8); } + ptype typ () { return (ptype) type; @@ -254,7 +436,6 @@ cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); if (cl) { - //printf ("compressed packet, %d => %d\n", l, cl);//D type = PT_DATA_COMPRESSED; d = cdata; l = cl + 2; @@ -266,25 +447,22 @@ EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); -#if RAND_SIZE struct { +#if RAND_SIZE u8 rnd[RAND_SIZE]; +#endif u32 seqno; } datahdr; - datahdr.seqno = seqno; + datahdr.seqno = ntohl (seqno); +#if RAND_SIZE RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); +#endif EVP_EncryptUpdate (cctx, (unsigned char *) data + outl, &outl2, (unsigned char *) &datahdr, DATAHDR); outl += outl2; -#else - EVP_EncryptUpdate (cctx, - (unsigned char *) data + outl, &outl2, - (unsigned char *) &seqno, DATAHDR); - outl += outl2; -#endif EVP_EncryptUpdate (cctx, (unsigned char *) data + outl, &outl2, @@ -330,7 +508,7 @@ EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); outl += outl2; - seqno = *(u32 *)(d + RAND_SIZE); + seqno = ntohl (*(u32 *)(d + RAND_SIZE)); id2mac (dst () ? dst() : THISNODE->id, p->dst); id2mac (src (), p->src); @@ -340,7 +518,6 @@ { u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1]; p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6; - //printf ("decompressxed %d(%d) => %d\n", cl, len - data_hdr_size (), p->len);//D } else p->len = outl + (6 + 6 - DATAHDR); @@ -371,8 +548,7 @@ const u8 curflags () const { return 0x80 - | (ENABLE_COMPRESSION ? 0x01 : 0x00) - | (ENABLE_TRUST ? 0x02 : 0x00); + | (ENABLE_COMPRESSION ? 0x01 : 0x00); } void setup (ptype type, int dst) @@ -483,7 +659,7 @@ ping_packet *pkt = new ping_packet; pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); - vpn->send_vpn_packet (pkt, dsa); + vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY); delete pkt; } @@ -493,102 +669,80 @@ { static net_rate_limiter limiter(1); - if (limiter.can (dsa)) + if (limiter.can (dsa) && connectmode != conf_node::C_DISABLED) { config_packet *pkt = new config_packet; pkt->setup (vpn_packet::PT_RESET, conf->id); - vpn->send_vpn_packet (pkt, dsa); + vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST); delete pkt; } } static rsachallenge * -gen_challenge (SOCKADDR *sa) +gen_challenge (u32 seqrand, SOCKADDR *sa) { static rsachallenge k; memcpy (&k, &challenge_bytes (), sizeof (k)); - RAND_bytes ((unsigned char *)&k[CHG_SEQNO], sizeof (u32)); + *(u32 *)&k[CHG_SEQNO] ^= seqrand; xor_sa (k, sa); return &k; } void -connection::send_auth (auth_subtype subtype, SOCKADDR *sa, rsachallenge *k) +connection::send_auth (auth_subtype subtype, SOCKADDR *sa, const rsachallenge *k) { - static net_rate_limiter limiter(2); + static net_rate_limiter limiter(0.2); if (subtype != AUTH_INIT || limiter.can (sa)) { - auth_packet *pkt = new auth_packet (conf->id, subtype); - - //printf ("send auth_packet subtype %d\n", subtype);//D - if (!k) - k = gen_challenge (sa); + k = gen_challenge (seqrand, sa); -#if ENABLE_TRUST - if (0 > RSA_public_encrypt (sizeof (*k), - (unsigned char *)k, (unsigned char *)&pkt->challenge, - conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) - fatal ("RSA_public_encrypt error"); -#else -# error untrusted mode not yet implemented: programemr does not know how to - rsaencrdata enc; - - if (0 > RSA_private_encrypt (sizeof (*k), - (unsigned char *)k, (unsigned char *)&enc, - ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) - fatal ("RSA_private_encrypt error"); - - if (0 > RSA_public_encrypt (sizeof (enc), - (unsigned char *)enc, (unsigned char *)&pkt->challenge, - conf->rsa_key, RSA_NO_PADDING)) - fatal ("RSA_public_encrypt error"); -#endif + auth_packet *pkt = new auth_packet (conf->id, subtype); + + memcpy (pkt->challenge, rsa_cache.public_encrypt (conf->rsa_key, *k), sizeof (rsaencrdata)); slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa)); - vpn->send_vpn_packet (pkt, sa); + vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); delete pkt; } } void -connection::establish_connection () +connection::establish_connection_cb (tstamp &ts) { - if (!ictx && conf != THISNODE && conf->connectmode != conf_node::C_NEVER) + if (ictx || conf == THISNODE || connectmode == conf_node::C_NEVER) + ts = TSTAMP_CANCEL; + else if (ts <= NOW) { - if (now >= next_retry) - { - int retry_int = retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2); + double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.25; - if (retry_cnt < (17 << 2) | 3) - retry_cnt++; + if (retry_int < 3600 * 8) + retry_cnt++; - if (conf->connectmode == conf_node::C_ONDEMAND - && retry_int > ::conf.keepalive) - retry_int = ::conf.keepalive; + if (connectmode == conf_node::C_ONDEMAND + && retry_int > ::conf.keepalive) + retry_int = ::conf.keepalive; - next_retry = now + retry_int; - next_wakeup (next_retry); + ts = NOW + retry_int; - if (conf->hostname) - { - reset_dstaddr (); - if (sa.sin_addr.s_addr) - if (retry_cnt < 4) - send_auth (AUTH_INIT, &sa); - else - send_ping (&sa, 0); - } - else - vpn->connect_request (conf->id); + if (conf->hostname) + { + reset_dstaddr (); + if (sa.sin_addr.s_addr) + if (retry_cnt < 4) + send_auth (AUTH_INIT, &sa); + else + send_ping (&sa, 0); } + else + vpn->connect_request (conf->id); } } @@ -603,18 +757,19 @@ run_script (this, &connection::script_node_down, false); } - delete ictx; - ictx = 0; + delete ictx; ictx = 0; + delete octx; octx = 0; - delete octx; - octx = 0; + RAND_bytes ((unsigned char *)&seqrand, sizeof (u32)); sa.sin_port = 0; sa.sin_addr.s_addr = 0; - next_retry = 0; - next_rekey = 0; last_activity = 0; + + rekey.reset (); + keepalive.reset (); + establish_connection.reset (); } void @@ -627,8 +782,10 @@ } void -connection::rekey () +connection::rekey_cb (tstamp &ts) { + ts = TSTAMP_CANCEL; + reset_connection (); establish_connection (); } @@ -637,9 +794,15 @@ connection::send_data_packet (tap_packet * pkt, bool broadcast) { vpndata_packet *p = new vpndata_packet; + int tos = 0; + + if (conf->inherit_tos + && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP + && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 + tos = (*pkt)[15] & IPTOS_TOS_MASK; p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs - vpn->send_vpn_packet (p, &sa); + vpn->send_vpn_packet (p, &sa, tos); delete p; @@ -664,7 +827,7 @@ void connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa) { - last_activity = now; + last_activity = NOW; slog (L_NOISE, "<<%d received packet type %d from %d to %d", conf->id, pkt->typ (), pkt->src (), pkt->dst ()); @@ -682,7 +845,7 @@ if (!ictx && !octx) { retry_cnt = 0; - next_retry = 0; + establish_connection.at = 0; establish_connection (); } @@ -693,11 +856,13 @@ reset_connection (); config_packet *p = (config_packet *) pkt; - if (p->chk_config ()) - if (conf->connectmode == conf_node::C_ALWAYS) - establish_connection (); - - //D slog the protocol mismatch? + if (!p->chk_config ()) + { + slog (L_WARN, _("protocol mismatch, disabling node '%s'"), conf->nodename); + connectmode = conf_node::C_DISABLED; + } + else if (connectmode == conf_node::C_ALWAYS) + establish_connection (); } break; @@ -717,26 +882,9 @@ if (p->subtype == AUTH_INIT) send_auth (AUTH_INITREPLY, ssa); - rsachallenge k; + const rsachallenge *k = rsa_cache.private_decrypt (::conf.rsa_key, p->challenge); -#if ENABLE_TRUST - if (0 > RSA_private_decrypt (sizeof (rsaencrdata), - (unsigned char *)&p->challenge, (unsigned char *)&k, - ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) - // continued below -#else - rsaencrdata j; - - if (0 > RSA_private_decrypt (sizeof (rsaencrdata), - (unsigned char *)&p->challenge, (unsigned char *)&j, - ::conf.rsa_key, RSA_NO_PADDING)) - fatal ("RSA_private_decrypt error"); - - if (0 > RSA_public_decrypt (sizeof (k), - (unsigned char *)&j, (unsigned char *)&k, - conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) - // continued below -#endif + if (!k) { slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"), conf->nodename, (const char *)sockinfo (ssa)); @@ -744,7 +892,9 @@ } retry_cnt = 0; - next_retry = now + 8; + establish_connection.set (NOW + 8); //? ;) + keepalive.reset (); + rekey.reset (); switch (p->subtype) { @@ -755,27 +905,25 @@ delete octx; - octx = new crypto_ctx (k, 1); - oseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff; + octx = new crypto_ctx (*k, 1); + oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; - send_auth (AUTH_REPLY, ssa, &k); + send_auth (AUTH_REPLY, ssa, k); break; case AUTH_REPLY: - if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32), - sizeof (rsachallenge) - sizeof (u32))) + if (!memcmp ((u8 *)gen_challenge (seqrand, ssa), (u8 *)k, sizeof (rsachallenge))) { delete ictx; - ictx = new crypto_ctx (k, 0); - iseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff; // at least 2**31 sequence numbers are valid - ismask = 0xffffffff; // initially, all lower sequence numbers are invalid + ictx = new crypto_ctx (*k, 0); + iseqno.reset (ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid sa = *ssa; - next_rekey = now + ::conf.rekey; - next_wakeup (next_rekey); + rekey.set (NOW + ::conf.rekey); + keepalive.set (NOW + ::conf.keepalive); // send queued packets while (tap_packet *p = queue.get ()) @@ -784,6 +932,8 @@ delete p; } + connectmode = conf->connectmode; + slog (L_INFO, _("connection to %d (%s %s) established"), conf->id, conf->nodename, (const char *)sockinfo (ssa)); @@ -828,45 +978,22 @@ u32 seqno; tap_packet *d = p->unpack (this, seqno); - if (seqno <= iseqno - 32) - slog (L_ERR, _("received duplicate or outdated packet (received %08lx, expected %08lx)\n" - "possible replay attack, or just massive packet reordering"), seqno, iseqno + 1);//D - else if (seqno > iseqno + 32) - slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n" - "possible replay attack, or just massive packet loss"), seqno, iseqno + 1);//D - else + if (iseqno.recv_ok (seqno)) { - if (seqno > iseqno) - { - ismask <<= seqno - iseqno; - iseqno = seqno; - } - - u32 mask = 1 << (iseqno - seqno); - - //printf ("received seqno %08lx, iseqno %08lx, mask %08lx is %08lx\n", seqno, iseqno, mask, ismask); - if (ismask & mask) - slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n" - "possible replay attack, or just packet duplication"), seqno, iseqno + 1);//D - else - { - ismask |= mask; - - vpn->tap->send (d); - - if (p->dst () == 0) // re-broadcast - for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i) - { - connection *c = *i; - - if (c->conf != THISNODE && c->conf != conf) - c->inject_data_packet (d); - } + vpn->tap->send (d); - delete d; + if (p->dst () == 0) // re-broadcast + for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i) + { + connection *c = *i; - break; - } + if (c->conf != THISNODE && c->conf != conf) + c->inject_data_packet (d); + } + + delete d; + + break; } } } @@ -891,17 +1018,35 @@ if (c->ictx && c->octx) { - sockinfo si(sa); - - slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", - c->conf->id, p->id, (const char *)si); + // send connect_info packets to both sides, in case one is + // behind a nat firewall (or both ;) + { + sockinfo si(sa); + + slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", + c->conf->id, conf->id, (const char *)si); + + connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si); - connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si); + r->hmac_set (c->octx); + vpn->send_vpn_packet (r, &c->sa); - r->hmac_set (c->octx); - vpn->send_vpn_packet (r, &c->sa); + delete r; + } + + { + sockinfo si(c->sa); + + slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", + conf->id, c->conf->id, (const char *)si); - delete r; + connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si); + + r->hmac_set (octx); + vpn->send_vpn_packet (r, &sa); + + delete r; + } } } @@ -929,31 +1074,24 @@ } } -void connection::timer () +void connection::keepalive_cb (tstamp &ts) { - if (conf != THISNODE) + if (NOW >= last_activity + ::conf.keepalive + 30) { - if (now >= next_retry && conf->connectmode == conf_node::C_ALWAYS) - establish_connection (); - - if (ictx && octx) - { - if (now >= next_rekey) - rekey (); - else if (now >= last_activity + ::conf.keepalive + 30) - { - reset_connection (); - establish_connection (); - } - else if (now >= last_activity + ::conf.keepalive) - if (conf->connectmode != conf_node::C_ONDEMAND - || THISNODE->connectmode != conf_node::C_ONDEMAND) - send_ping (&sa); - else - reset_connection (); - - } + reset_connection (); + establish_connection (); } + else if (NOW < last_activity + ::conf.keepalive) + ts = last_activity + ::conf.keepalive; + else if (conf->connectmode != conf_node::C_ONDEMAND + || THISNODE->connectmode != conf_node::C_ONDEMAND) + { + send_ping (&sa); + ts = NOW + 5; + } + else + reset_connection (); + } void connection::connect_request (int id) @@ -1000,10 +1138,25 @@ return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; } -///////////////////////////////////////////////////////////////////////////// +connection::connection(struct vpn *vpn_) +: vpn(vpn_) +, rekey (this, &connection::rekey_cb) +, keepalive (this, &connection::keepalive_cb) +, establish_connection (this, &connection::establish_connection_cb) +{ + octx = ictx = 0; + retry_cnt = 0; -vpn::vpn (void) -{} + connectmode = conf_node::C_ALWAYS; // initial setting + reset_connection (); +} + +connection::~connection () +{ + shutdown (); +} + +///////////////////////////////////////////////////////////////////////////// const char *vpn::script_if_up () { @@ -1064,21 +1217,28 @@ setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval); } + udp_ev_watcher.start (socket_fd, POLLIN); + tap = new tap_device (); if (!tap) //D this, of course, never catches { slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname); exit (1); } - + run_script (this, &vpn::script_if_up, true); + vpn_ev_watcher.start (tap->fd, POLLIN); + + reconnect_all (); + return 0; } void -vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa) +vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos) { + setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos); sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); } @@ -1105,8 +1265,7 @@ conn->conf = *i; conns.push_back (conn); - if (conn->conf->connectmode == conf_node::C_ALWAYS) - conn->establish_connection (); + conn->establish_connection (); } } @@ -1120,7 +1279,7 @@ connection *c = *i; if (c->conf->routerprio > prio - && c->conf->connectmode == conf_node::C_ALWAYS + && c->connectmode == conf_node::C_ALWAYS && c->conf != THISNODE && c->ictx && c->octx) { @@ -1138,184 +1297,167 @@ if (c) c->connect_request (id); + //else // does not work, because all others must connect to the same router + // // no router found, aggressively connect to all routers + // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i) + // if ((*i)->conf->routerprio) + // (*i)->establish_connection (); } void -vpn::main_loop () +vpn::udp_ev (short revents) { - struct pollfd pollfd[2]; - - pollfd[0].fd = tap->fd; - pollfd[0].events = POLLIN; - pollfd[1].fd = socket_fd; - pollfd[1].events = POLLIN; - - events = 0; - now = time (0); - next_timecheck = now + 1; - - reconnect_all (); - - for (;;) + if (revents & (POLLIN | POLLERR)) { - int npoll = poll (pollfd, 2, (next_timecheck - now) * 1000); - - now = time (0); + vpn_packet *pkt = new vpn_packet; + struct sockaddr_in sa; + socklen_t sa_len = sizeof (sa); + int len; - if (npoll > 0) - { - if (pollfd[1].revents) - { - if (pollfd[1].revents & (POLLIN | POLLERR)) - { - vpn_packet *pkt = new vpn_packet; - struct sockaddr_in sa; - socklen_t sa_len = sizeof (sa); - int len; + len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len); - len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len); - - if (len > 0) - { - pkt->len = len; + if (len > 0) + { + pkt->len = len; - unsigned int src = pkt->src (); - unsigned int dst = pkt->dst (); + unsigned int src = pkt->src (); + unsigned int dst = pkt->dst (); - slog (L_NOISE, _("<typ (), pkt->src (), pkt->dst (), pkt->len); + slog (L_NOISE, _("<typ (), pkt->src (), pkt->dst (), pkt->len); - if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX) - slog (L_WARN, _("<typ (), pkt->src (), pkt->dst ()); - else if (dst == 0 && !THISNODE->routerprio) - slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst); - else if (dst != 0 && dst != THISNODE->id) - slog (L_WARN, - _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"), - dst, conns[dst - 1]->conf->nodename, - (const char *)sockinfo (sa), - THISNODE->id, THISNODE->nodename); - else if (src == 0 || src > conns.size ()) - slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa)); - else - conns[src - 1]->recv_vpn_packet (pkt, &sa); - } - else - { - // probably ECONNRESET or somesuch - slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno)); - } + if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX) + slog (L_WARN, _("<typ (), pkt->src (), pkt->dst ()); + else if (dst == 0 && !THISNODE->routerprio) + slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst); + else if (dst != 0 && dst != THISNODE->id) + slog (L_WARN, + _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"), + dst, conns[dst - 1]->conf->nodename, + (const char *)sockinfo (sa), + THISNODE->id, THISNODE->nodename); + else if (src == 0 || src > conns.size ()) + slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa)); + else + conns[src - 1]->recv_vpn_packet (pkt, &sa); + } + else + { + // probably ECONNRESET or somesuch + slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno)); + } - delete pkt; - } - else if (pollfd[1].revents & POLLHUP) - { - // this cannot ;) happen on udp sockets - slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating.")); - exit (1); - } - else - { - slog (L_ERR, - _("FATAL: unknown revents %08x in socket, terminating\n"), - pollfd[1].revents); - exit (1); - } - } + delete pkt; + } + else if (revents & POLLHUP) + { + // this cannot ;) happen on udp sockets + slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating.")); + exit (1); + } + else + { + slog (L_ERR, + _("FATAL: unknown revents %08x in socket, terminating\n"), + revents); + exit (1); + } +} - // I use else here to give vpn_packets absolute priority - else if (pollfd[0].revents) - { - if (pollfd[0].revents & POLLIN) - { - /* process data */ - tap_packet *pkt; +void +vpn::vpn_ev (short revents) +{ + if (revents & POLLIN) + { + /* process data */ + tap_packet *pkt; - pkt = tap->recv (); + pkt = tap->recv (); - int dst = mac2id (pkt->dst); - int src = mac2id (pkt->src); + int dst = mac2id (pkt->dst); + int src = mac2id (pkt->src); - if (src != THISNODE->id) - { - slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating.")); - exit (1); - } + if (src != THISNODE->id) + { + slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating.")); + exit (1); + } - if (dst == THISNODE->id) - { - slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating.")); - exit (1); - } + if (dst == THISNODE->id) + { + slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating.")); + exit (1); + } - if (dst > conns.size ()) - slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst); - else - { - if (dst) - { - // unicast - if (dst != THISNODE->id) - conns[dst - 1]->inject_data_packet (pkt); - } - else - { - // broadcast, first check router, then self, then english - connection *router = find_router (); - - if (router) - router->inject_data_packet (pkt, true); - else - for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) - if ((*c)->conf != THISNODE) - (*c)->inject_data_packet (pkt); - } - } + if (dst > conns.size ()) + slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst); + else + { + if (dst) + { + // unicast + if (dst != THISNODE->id) + conns[dst - 1]->inject_data_packet (pkt); + } + else + { + // broadcast, first check router, then self, then english + connection *router = find_router (); - delete pkt; - } - else if (pollfd[0].revents & (POLLHUP | POLLERR)) - { - slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating.")); - exit (1); - } + if (router) + router->inject_data_packet (pkt, true); else - abort (); + for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) + if ((*c)->conf != THISNODE) + (*c)->inject_data_packet (pkt); } } - if (events) - { - if (events & EVENT_SHUTDOWN) - { - shutdown_all (); - - remove_pid (pidfilename); + delete pkt; + } + else if (revents & (POLLHUP | POLLERR)) + { + slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating.")); + exit (1); + } + else + abort (); +} - slog (L_INFO, _("vped terminating")); +void +vpn::event_cb (tstamp &ts) +{ + if (events) + { + if (events & EVENT_SHUTDOWN) + { + shutdown_all (); - exit (0); - } + remove_pid (pidfilename); - if (events & EVENT_RECONNECT) - reconnect_all (); + slog (L_INFO, _("vped terminating")); - events = 0; + exit (0); } - // very very very dumb and crude and inefficient timer handling, or maybe not? - if (now >= next_timecheck) - { - next_timecheck = now + TIMER_GRANULARITY; + if (events & EVENT_RECONNECT) + reconnect_all (); - for (conns_vector::iterator c = conns.begin (); - c != conns.end (); ++c) - (*c)->timer (); - } + events = 0; } + + ts = TSTAMP_CANCEL; +} + +vpn::vpn (void) +: udp_ev_watcher (this, &vpn::udp_ev) +, vpn_ev_watcher (this, &vpn::vpn_ev) +, event (this, &vpn::event_cb) +{ } vpn::~vpn () -{} +{ +}