1 | /* |
1 | /* |
2 | vpn.C -- handle the protocol, encryption, handshaking etc. |
2 | vpn.C -- handle the protocol, encryption, handshaking etc. |
|
|
3 | Copyright (C) 2003 Marc Lehmann <pcg@goof.com> |
3 | |
4 | |
4 | This program is free software; you can redistribute it and/or modify |
5 | This program is free software; you can redistribute it and/or modify |
5 | it under the terms of the GNU General Public License as published by |
6 | it under the terms of the GNU General Public License as published by |
6 | the Free Software Foundation; either version 2 of the License, or |
7 | the Free Software Foundation; either version 2 of the License, or |
7 | (at your option) any later version. |
8 | (at your option) any later version. |
… | |
… | |
24 | #include <cstring> |
25 | #include <cstring> |
25 | #include <cstdio> |
26 | #include <cstdio> |
26 | |
27 | |
27 | #include <sys/types.h> |
28 | #include <sys/types.h> |
28 | #include <sys/socket.h> |
29 | #include <sys/socket.h> |
29 | #include <sys/poll.h> |
|
|
30 | #include <sys/wait.h> |
30 | #include <sys/wait.h> |
31 | #include <errno.h> |
31 | #include <errno.h> |
32 | #include <time.h> |
32 | #include <time.h> |
33 | #include <unistd.h> |
33 | #include <unistd.h> |
34 | #include <fcntl.h> |
34 | #include <fcntl.h> |
35 | #include <sys/socket.h> |
35 | #include <sys/socket.h> |
36 | #include <netinet/in.h> |
36 | |
37 | #include <arpa/inet.h> |
37 | #include "netcompat.h" |
38 | #include <net/if.h> |
|
|
39 | #ifdef HAVE_NETINET_IN_SYSTM_H |
|
|
40 | # include <netinet/in_systm.h> |
|
|
41 | #endif |
|
|
42 | #ifdef HAVE_NETINET_IP_H |
|
|
43 | # include <netinet/ip.h> |
|
|
44 | #endif |
|
|
45 | #ifdef HAVE_NETINET_TCP_H |
|
|
46 | # include <netinet/tcp.h> |
|
|
47 | #endif |
|
|
48 | #if ENABLE_ICMP |
|
|
49 | # include <netinet/ip_icmp.h> |
|
|
50 | #endif |
|
|
51 | |
38 | |
52 | #include "pidfile.h" |
39 | #include "pidfile.h" |
53 | |
40 | |
54 | #include "connection.h" |
41 | #include "connection.h" |
55 | #include "util.h" |
42 | #include "util.h" |
56 | #include "vpn.h" |
43 | #include "vpn.h" |
57 | |
44 | |
58 | #if !defined(SOL_IP) && defined(IPPROTO_IP) |
45 | vpn network; // THE vpn (bad design...) |
59 | # define SOL_IP IPPROTO_IP |
|
|
60 | #endif |
|
|
61 | |
46 | |
62 | ///////////////////////////////////////////////////////////////////////////// |
47 | ///////////////////////////////////////////////////////////////////////////// |
63 | |
48 | |
64 | const char *vpn::script_if_up () |
49 | const char *vpn::script_if_up () |
65 | { |
50 | { |
… | |
… | |
320 | |
305 | |
321 | return ~sum; |
306 | return ~sum; |
322 | } |
307 | } |
323 | |
308 | |
324 | #if ENABLE_ICMP |
309 | #if ENABLE_ICMP |
325 | struct icmp_header { |
|
|
326 | u8 type; |
|
|
327 | u8 code; |
|
|
328 | u16 checksum; |
|
|
329 | union { |
|
|
330 | struct { |
|
|
331 | u16 id; |
|
|
332 | u16 sequence; |
|
|
333 | } echo; |
|
|
334 | u32 gateway; |
|
|
335 | struct { |
|
|
336 | u16 unused; |
|
|
337 | u16 mtu; |
|
|
338 | } frag; |
|
|
339 | } un; |
|
|
340 | }; |
|
|
341 | |
|
|
342 | bool |
310 | bool |
343 | vpn::send_icmpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos) |
311 | vpn::send_icmpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos) |
344 | { |
312 | { |
345 | #if defined(SOL_IP) && defined(IP_TOS) |
313 | #if defined(SOL_IP) && defined(IP_TOS) |
346 | setsockopt (icmpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos); |
314 | setsockopt (icmpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos); |
… | |
… | |
367 | setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos); |
335 | setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos); |
368 | #endif |
336 | #endif |
369 | sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ()); |
337 | sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ()); |
370 | |
338 | |
371 | return true; |
339 | return true; |
|
|
340 | } |
|
|
341 | |
|
|
342 | void |
|
|
343 | vpn::inject_data_packet (tap_packet *pkt, int dst) |
|
|
344 | { |
|
|
345 | if (dst) |
|
|
346 | { |
|
|
347 | // unicast |
|
|
348 | if (dst != THISNODE->id) |
|
|
349 | conns[dst - 1]->inject_data_packet (pkt); |
|
|
350 | } |
|
|
351 | else |
|
|
352 | { |
|
|
353 | // broadcast, this is ugly, but due to the security policy |
|
|
354 | // we have to connect to all hosts... |
|
|
355 | for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) |
|
|
356 | if ((*c)->conf != THISNODE) |
|
|
357 | (*c)->inject_data_packet (pkt, true); |
|
|
358 | } |
372 | } |
359 | } |
373 | |
360 | |
374 | void |
361 | void |
375 | vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) |
362 | vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) |
376 | { |
363 | { |
… | |
… | |
393 | connection *c = conns[src - 1]; |
380 | connection *c = conns[src - 1]; |
394 | |
381 | |
395 | if (dst == 0) |
382 | if (dst == 0) |
396 | slog (L_WARN, _("%s(%s): received broadcast (protocol violation)"), |
383 | slog (L_WARN, _("%s(%s): received broadcast (protocol violation)"), |
397 | c->conf->nodename, (const char *)rsi); |
384 | c->conf->nodename, (const char *)rsi); |
398 | else if (dst != 0 && dst != THISNODE->id) |
385 | else if (dst != THISNODE->id) |
399 | { |
386 | { |
400 | if (THISNODE->routerprio) |
387 | if (THISNODE->routerprio) |
401 | // the tos setting gets lost here. who cares. |
388 | // the tos setting gets lost here. who cares. |
402 | conns[dst - 1]->inject_vpn_packet (pkt); |
389 | conns[dst - 1]->inject_vpn_packet (pkt); |
403 | else |
390 | else |
… | |
… | |
564 | /* process data */ |
551 | /* process data */ |
565 | tap_packet *pkt; |
552 | tap_packet *pkt; |
566 | |
553 | |
567 | pkt = tap->recv (); |
554 | pkt = tap->recv (); |
568 | |
555 | |
|
|
556 | if (!pkt) |
|
|
557 | return; |
|
|
558 | |
|
|
559 | if (pkt->len > 14) |
|
|
560 | { |
569 | int dst = mac2id (pkt->dst); |
561 | int dst = mac2id (pkt->dst); |
570 | int src = mac2id (pkt->src); |
562 | int src = mac2id (pkt->src); |
571 | |
563 | |
572 | if (src != THISNODE->id) |
564 | if (src != THISNODE->id) |
573 | { |
|
|
574 | slog (L_ERR, _("FATAL: tap packet not originating on current node received, exiting.")); |
|
|
575 | exit (1); |
|
|
576 | } |
|
|
577 | |
|
|
578 | if (dst == THISNODE->id) |
|
|
579 | { |
|
|
580 | slog (L_ERR, _("FATAL: tap packet destined for current node received, exiting.")); |
|
|
581 | exit (1); |
|
|
582 | } |
|
|
583 | |
|
|
584 | if (dst > conns.size ()) |
|
|
585 | slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst); |
|
|
586 | else |
|
|
587 | { |
|
|
588 | if (dst) |
|
|
589 | { |
565 | { |
590 | // unicast |
566 | slog (L_ERR, _("FATAL: tap packet not originating on current node received, exiting.")); |
591 | if (dst != THISNODE->id) |
567 | exit (1); |
592 | conns[dst - 1]->inject_data_packet (pkt); |
|
|
593 | } |
568 | } |
|
|
569 | |
|
|
570 | if (dst == THISNODE->id) |
|
|
571 | { |
|
|
572 | slog (L_ERR, _("FATAL: tap packet destined for current node received, exiting.")); |
|
|
573 | exit (1); |
|
|
574 | } |
|
|
575 | |
|
|
576 | if (dst > conns.size ()) |
|
|
577 | slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst); |
594 | else |
578 | else |
595 | { |
|
|
596 | // broadcast, this is ugly, but due to the security policy |
|
|
597 | // we have to connect to all hosts... |
|
|
598 | for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) |
|
|
599 | if ((*c)->conf != THISNODE) |
|
|
600 | (*c)->inject_data_packet (pkt); |
579 | inject_data_packet (pkt, dst); |
601 | } |
|
|
602 | } |
580 | } |
603 | |
581 | |
604 | delete pkt; |
582 | delete pkt; |
605 | } |
583 | } |
606 | else if (revents & (POLLHUP | POLLERR)) |
584 | else if (revents & (POLLHUP | POLLERR)) |