j3d1/tinc
1
0
Fork 0
Code Issues 1 Pull requests Releases Wiki Activity
tinc/src/node.h

126 lines
5.6 KiB
C
Raw Normal View History

Started implementing doc/CONNECTIVITY.
2001-10-09 19:30:30 +00:00
/*
node.h -- header for node.c
Releasing 1.1pre5.
2013-01-20 20:03:22 +00:00
Copyright (C) 2001-2013 Guus Sliepen <guus@tinc-vpn.org>,
Update copyright notices, remove Ivo's email address.
2006-04-26 13:52:58 +00:00
2001-2005 Ivo Timmermans
Started implementing doc/CONNECTIVITY.
2001-10-09 19:30:30 +00:00
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
Update the address of the Free Software Foundation in all copyright headers.
2009-09-24 22:01:00 +00:00
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Started implementing doc/CONNECTIVITY.
2001-10-09 19:30:30 +00:00
*/
Further implementation of doc/CONNECTIVITY. connection.[ch] is now split into a node, vertex and connection part.
2001-10-10 08:49:47 +00:00
#ifndef __TINC_NODE_H__
#define __TINC_NODE_H__
Use splay trees instead of AVL trees.
2007-05-18 10:05:26 +00:00
#include "splay_tree.h"
Use the crypto wrappers again instead of calling OpenSSL directly. This theoretically allows other cryptographic libraries to be used, and it improves the readability of the code.
2008-12-11 14:44:44 +00:00
#include "cipher.h"
Big bad commit: - Transition to new node/vertex/connection structures - Use new configuration handling everywhere - Linux tun/tap device handling cleanup - Start of IPv6 support in route.c It compiles, but it won't link.
2001-10-27 12:13:17 +00:00
#include "connection.h"
Use the crypto wrappers again instead of calling OpenSSL directly. This theoretically allows other cryptographic libraries to be used, and it improves the readability of the code.
2008-12-11 14:44:44 +00:00
#include "digest.h"
Drop libevent and use our own event handling again. There are several reasons for this: - MacOS/X doesn't support polling the tap device using kqueue, requiring a workaround to fall back to select(). - On Windows only sockets are properly handled, therefore tinc uses a second thread that does a blocking ReadFile() on the TAP-Win32/64 device. However, this does not mix well with libevent. - Libevent, event just the core, is quite large, and although it is easy to get and install on many platforms, it can be a burden. - Libev is more lightweight and seems technically superior, but it doesn't abstract away all the platform differences (for example, async events are not supported on Windows).
2012-11-29 11:28:23 +00:00
#include "event.h"
Big header file cleanup: everything that has to do with standard system libraries is moved to system.h.
2003-07-17 15:06:27 +00:00
#include "subnet.h"
Big bad commit: - Transition to new node/vertex/connection structures - Use new configuration handling everywhere - Linux tun/tap device handling cleanup - Start of IPv6 support in route.c It compiles, but it won't link.
2001-10-27 12:13:17 +00:00
Ensure tinc compiles with gcc -std=c99. We use a lot of C99 features already, but also some extensions which are not in the standard.
2009-09-08 19:45:24 +00:00
typedef struct node_status_t {
Fix whitespace.
2012-10-10 15:17:49 +00:00
unsigned int unused_active:1; /* 1 if active (not used for nodes) */
unsigned int validkey:1; /* 1 if we currently have a valid key for him */
unsigned int waitingforkey:1; /* 1 if we already sent out a request */
unsigned int visited:1; /* 1 if this node has been visited by one of the graph algorithms */
unsigned int reachable:1; /* 1 if this node is reachable in the graph */
unsigned int indirect:1; /* 1 if this node is not directly reachable by us */
Use a status bit to track which nodes use SPTPS.
2012-07-31 19:43:49 +00:00
unsigned int sptps:1; /* 1 if this node supports SPTPS */
Fix whitespace.
2012-10-10 15:17:49 +00:00
unsigned int udp_confirmed:1; /* 1 if the address is one that we received UDP traffic on */
Use edge local addresses for local discovery. This introduces a new way of doing local discovery: when tinc has local address information for the recipient node, it will send local discovery packets directly to the local address of that node, instead of using broadcast packets. This new way of doing local discovery provides numerous advantages compared to using broadcasts: - No broadcast packets "polluting" the local network; - Reliable even if the sending host has multiple network interfaces (in contrast, broadcasts will only be sent through one unpredictable interface) - Works even if the two hosts are not on the same broadcast domain. One example is a large LAN where the two hosts might be on different local subnets. In fact, thanks to UDP hole punching this might even work if there is a NAT sitting in the middle of the LAN between the two nodes! - Sometimes a node is reachable through its "normal" address, and via a local subnet as well. One might think the local subnet is the best route to the node in this case, but more often than not it's actually worse - one example is where the local segment is a third party VPN running in parallel, or ironically it can be the local segment formed by the tinc VPN itself! Because this new algorithm only checks the addresses for which an edge is already established, it is less likely to fall into these traps.
2014-06-22 16:27:55 +00:00
unsigned int send_locally:1; /* 1 if the next UDP packet should be sent on the local network */
Make LocalDiscovery work for SPTPS packets.
2013-11-21 21:13:14 +00:00
unsigned int unused:23;
Big bad commit: - Transition to new node/vertex/connection structures - Use new configuration handling everywhere - Linux tun/tap device handling cleanup - Start of IPv6 support in route.c It compiles, but it won't link.
2001-10-27 12:13:17 +00:00
} node_status_t;
Started implementing doc/CONNECTIVITY.
2001-10-09 19:30:30 +00:00
typedef struct node_t {
Fix whitespace.
2012-10-10 15:17:49 +00:00
char *name; /* name of this node */
Introduce node IDs. This introduces a new type of identifier for nodes, which complements node names: node IDs. Node IDs are defined as the first 6 bytes of the SHA-256 hash of the node name. They will be used in future code in lieu of node names as unique node identifiers in contexts where space is at a premium (such as VPN packets). The semantics of node IDs is that they are supposed to be unique in a tinc graph; i.e. two different nodes that are part of the same graph should not have the same ID, otherwise things could break. This solution provides this guarantee based on realistic probabilities: indeed, according to the birthday problem, with a 48-bit hash, the probability of at least one collision is 1e-13 with 10 nodes, 1e-11 with 100 nodes, 1e-9 with 1000 nodes and 1e-7 with 10000 nodes. Things only start getting hairy with more than 1 million nodes, as the probability gets over 0.2%.
2014-09-21 17:17:02 +00:00
node_id_t id; /* unique node ID (name hash) */
Fix whitespace.
2012-10-10 15:17:49 +00:00
uint32_t options; /* options turned on for this node */
Started implementing doc/CONNECTIVITY.
2001-10-09 19:30:30 +00:00
Fix whitespace.
2012-10-10 15:17:49 +00:00
int sock; /* Socket to use for outgoing UDP packets */
sockaddr_t address; /* his real (internet) ip to send UDP packets to */
char *hostname; /* the hostname of its real ip */
Started implementing doc/CONNECTIVITY.
2001-10-09 19:30:30 +00:00
Use bools and enums where appropriate.
2003-07-22 20:55:21 +00:00
node_status_t status;
Keep last known address and time since reachability changed. This allows tincctl info to show since when a node is online or offline.
2012-09-26 20:20:43 +00:00
time_t last_state_change;
Be liberal in accepting KEY_CHANGED/REQ_KEY/ANS_KEY requests. When we got a key request for or from a node we don't know, we disconnected the node that forwarded us that request. However, especially in TunnelServer mode, disconnecting does not help. We now ignore such requests, but since there is no way of telling the original sender that the request was dropped, we now retry sending REQ_KEY requests when we don't get an ANS_KEY back.
2010-01-23 17:48:01 +00:00
time_t last_req_key;
Big bad commit: - Transition to new node/vertex/connection structures - Use new configuration handling everywhere - Linux tun/tap device handling cleanup - Start of IPv6 support in route.c It compiles, but it won't link.
2001-10-27 12:13:17 +00:00
Use conditional compilation for cryptographic functions. This gets rid of the rest of the symbolic links. However, as a consequence, the crypto header files have now moved to src/, and can no longer contain library-specific declarations. Therefore, cipher_t, digest_t, ecdh_t, ecdsa_t and rsa_t are now all opaque types, and only pointers to those types can be used.
2013-05-01 15:17:22 +00:00
ecdsa_t *ecdsa; /* His public ECDSA key */
Use datagram SPTPS for packet exchange between nodes. When two nodes which support SPTPS want to send packets to each other, they now always use SPTPS. The node initiating the SPTPS session send the first SPTPS packet via an extended REQ_KEY messages. All other handshake messages are sent using ANS_KEY messages. This ensures that intermediate nodes using an older version of tinc can still help with NAT traversal. After the authentication phase is over, SPTPS packets are sent via UDP, or are encapsulated in extended REQ_KEY messages instead of PACKET messages.
2012-07-30 16:36:59 +00:00
sptps_t sptps;
Support ECDH key exchange. REQ_KEY requests have an extra field indicating key exchange version. If it is present and > 0, the sender supports ECDH. If the receiver also does, then it will generate a new keypair and sends the public key in a ANS_KEY request with "ECDH:" prefixed. The ans_key_h() function will compute the shared secret, which, at the moment,is used as is to set the cipher and HMAC keys. However, this must be changed to use a proper KDF. In the future, the ECDH key exchange must also be signed.
2011-07-03 11:17:28 +00:00
Allow tinc to be compiled without OpenSSL. The option "--disable-legacy-protocol" was added to the configure script. The new protocol does not depend on any external crypto libraries, so when the option is used tinc is no longer linked to OpenSSL's libcrypto.
2014-12-29 21:57:18 +00:00
#ifndef DISABLE_LEGACY
Use conditional compilation for cryptographic functions. This gets rid of the rest of the symbolic links. However, as a consequence, the crypto header files have now moved to src/, and can no longer contain library-specific declarations. Therefore, cipher_t, digest_t, ecdh_t, ecdsa_t and rsa_t are now all opaque types, and only pointers to those types can be used.
2013-05-01 15:17:22 +00:00
cipher_t *incipher; /* Cipher for UDP packets */
digest_t *indigest; /* Digest for UDP packets */
Merging of the entire pre5 branch.
2002-02-10 21:57:54 +00:00
Use conditional compilation for cryptographic functions. This gets rid of the rest of the symbolic links. However, as a consequence, the crypto header files have now moved to src/, and can no longer contain library-specific declarations. Therefore, cipher_t, digest_t, ecdh_t, ecdsa_t and rsa_t are now all opaque types, and only pointers to those types can be used.
2013-05-01 15:17:22 +00:00
cipher_t *outcipher; /* Cipher for UDP packets */
digest_t *outdigest; /* Digest for UDP packets */
Allow tinc to be compiled without OpenSSL. The option "--disable-legacy-protocol" was added to the configure script. The new protocol does not depend on any external crypto libraries, so when the option is used tinc is no longer linked to OpenSSL's libcrypto.
2014-12-29 21:57:18 +00:00
#endif
Merging of the entire pre5 branch.
2002-02-10 21:57:54 +00:00
Fix whitespace.
2012-10-10 15:17:49 +00:00
int incompression; /* Compressionlevel, 0 = no compression */
int outcompression; /* Compressionlevel, 0 = no compression */
Added support for packet compression, thanks to Mark Glines. Add "Compression = <level>" to the host config files, where level can be 0 (off), or any integer between 1 (fast) and 9 (best).
2002-02-11 15:59:18 +00:00
Use Dijkstra's algorithm. Based on patches from Max Rijevskiy.
2008-12-11 18:07:26 +00:00
int distance;
Fix whitespace.
2012-10-10 15:17:49 +00:00
struct node_t *nexthop; /* nearest node from us to him */
struct edge_t *prevedge; /* nearest node from him to us */
struct node_t *via; /* next hop for UDP packets */
Started implementing doc/CONNECTIVITY.
2001-10-09 19:30:30 +00:00
Fix whitespace.
2012-10-10 15:17:49 +00:00
splay_tree_t *subnet_tree; /* Pointer to a tree of subnets belonging to this node */
Revert to edge and graph stuff. This time, use a directed graph.
2002-09-04 13:48:52 +00:00
Fix whitespace.
2012-10-10 15:17:49 +00:00
splay_tree_t *edge_tree; /* Edges with this node as one of the endpoints */
Merging of the entire pre5 branch.
2002-02-10 21:57:54 +00:00
Fix whitespace.
2012-10-10 15:17:49 +00:00
struct connection_t *connection; /* Connection associated with this node (if a direct connection exists) */
Switch to K&R style indentation.
2002-09-09 21:25:28 +00:00
Fix whitespace.
2012-10-10 15:17:49 +00:00
uint32_t sent_seqno; /* Sequence number last sent to this node */
uint32_t received_seqno; /* Sequence number last received from this node */
Count the number of correctly received UDP packets. Keep track of the number of correct, non-replayed UDP packets that have been received, regardless of their content. This can be compared to the sequence number to determine the real packet loss.
2013-01-15 12:33:16 +00:00
uint32_t received; /* Total valid packets received from this node */
Estimate RTT, bandwidth and packet loss between nodes. Without adding any extra traffic, we can measure round trip times, estimate the bandwidth and packet loss between nodes. The RTT and bandwidth can be measured by timing the MTU probe packets. The RTT is the difference between the time a burst of MTU probes was sent and when the first reply is received. The bandwidth can be estimated by multiplying the size of the probe packets by the time between succesive received probe replies of the same burst. The packet loss can be estimated for incoming traffic by comparing how many packets have actually been received to the increase in the sequence numbers. The estimates are not perfect. Especially bandwidth is difficult to measure, the only accurate way is to continuously send as much data as possible, but that is obviously not desirable. The packet loss rate is also almost always a few percent when sending a lot of data over the VPN via TCP, since TCP *needs* packet loss to work properly.
2013-01-16 15:31:56 +00:00
uint32_t prev_received_seqno;
uint32_t prev_received;
Fix whitespace.
2012-10-10 15:17:49 +00:00
uint32_t farfuture; /* Packets in a row that have arrived from the far future */
unsigned char* late; /* Bitfield marking late packets */
Let tinc figure out the exact MTU of the link.
2003-12-20 19:47:53 +00:00
Add UDP discovery mechanism. This adds a new mechanism by which tinc can determine if a node is reachable via UDP. The new mechanism is currently redundant with the PMTU discovery mechanism - that will be fixed in a future commit. Conceptually, the UDP discovery mechanism works similarly to PMTU discovery: it sends UDP probes (of minmtu size, to make sure the tunnel is fully usable), and assumes UDP is usable if it gets replies. It assumes UDP is broken if too much time has passed since the last reply. The big difference with the current PMTU discovery mechanism, however, is that UDP discovery probes are only triggered as part of the packet TX path (through try_tx()). This is quite interesting, because it means tinc will never send UDP pings more often than normal packets, and most importantly, it will automatically stop sending pings as soon as packets stop flowing, thereby nicely reducing network chatter. Of course, there are small drawbacks in some edge cases: for example, if a node only sends one packet every minute to another node, these packets will only be sent over TCP, because the interval between packets is too long for tinc to maintain the UDP tunnel. I consider this a feature, not a bug: I believe it is appropriate to use TCP in scenarios where traffic is negligible, so that we don't pollute the network with pings just to maintain a UDP tunnel that's seeing negligible usage.
2014-12-29 10:34:39 +00:00
struct timeval udp_ping_sent; /* Last time a ping probe was sent */
timeout_t udp_ping_timeout; /* Ping timeout event */
Fix whitespace.
2012-10-10 15:17:49 +00:00
length_t mtu; /* Maximum size of packets to send to this node */
length_t minmtu; /* Probed minimum MTU */
length_t maxmtu; /* Probed maximum MTU */
int mtuprobes; /* Number of probes */
Move PMTU discovery code into the TX path. Currently, the PMTU discovery code is run by a timeout callback, independently of tunnel activity. This commit moves it into the TX path, meaning that send_mtu_probe_handler() is only called if a packet is about to be sent. Consequently, it has been renamed to try_mtu() for consistency with try_tx(), try_udp() and try_sptps(). Running PMTU discovery code only as part of the TX path prevents PMTU discovery from generating unreasonable amounts of traffic when the "real" traffic is negligible. One extreme example is sending one real packet and then going silent: in the current code this one little packet will result in the entire PMTU discovery algorithm being run from start to finish, resulting in absurd write traffic amplification. With this patch, PMTU discovery stops as soon as "real" packets stop flowing, and will be no more aggressive than the underlying traffic. Furthermore, try_mtu() only runs if there is confirmed UDP connectivity as per the UDP discovery mechanism. This prevents unnecessary network chatter - previously, the PMTU discovery code would send bursts of (potentially large) probe packets every second even if there was nothing on the other side. With this patch, the PMTU code only does that if something replied to the lightweight UDP discovery pings. These inefficiencies were made even worse when the node is not a direct neighbour, as tinc will use PMTU discovery both on the destination node *and* the relay. UDP discovery is more lightweight for this purpose. As a bonus, this code simplifies overall code somewhat - state is easier to manage when code is run in predictable contexts as opposed to "surprise callbacks". In addition, there is no need to call PMTU discovery code outside of net_packet.c anymore, thereby simplifying module boundaries.
2014-12-29 16:47:49 +00:00
struct timeval probe_sent_time; /* Time the last probe was sent */
Estimate RTT, bandwidth and packet loss between nodes. Without adding any extra traffic, we can measure round trip times, estimate the bandwidth and packet loss between nodes. The RTT and bandwidth can be measured by timing the MTU probe packets. The RTT is the difference between the time a burst of MTU probes was sent and when the first reply is received. The bandwidth can be estimated by multiplying the size of the probe packets by the time between succesive received probe replies of the same burst. The packet loss can be estimated for incoming traffic by comparing how many packets have actually been received to the increase in the sequence numbers. The estimates are not perfect. Especially bandwidth is difficult to measure, the only accurate way is to continuously send as much data as possible, but that is obviously not desirable. The packet loss rate is also almost always a few percent when sending a lot of data over the VPN via TCP, since TCP *needs* packet loss to work properly.
2013-01-16 15:31:56 +00:00
struct timeval probe_time; /* Time the last probe was sent or received */
int probe_counter; /* Number of probes received since last burst was sent */
float rtt; /* Last measured round trip time */
float packetloss; /* Last measured packet loss rate */
Add per-node traffic counters.
2011-05-14 22:42:29 +00:00
uint64_t in_packets;
uint64_t in_bytes;
uint64_t out_packets;
uint64_t out_bytes;
Started implementing doc/CONNECTIVITY.
2001-10-09 19:30:30 +00:00
} node_t;
Further implementation of doc/CONNECTIVITY. connection.[ch] is now split into a node, vertex and connection part.
2001-10-10 08:49:47 +00:00
Big bad commit: - Transition to new node/vertex/connection structures - Use new configuration handling everywhere - Linux tun/tap device handling cleanup - Start of IPv6 support in route.c It compiles, but it won't link.
2001-10-27 12:13:17 +00:00
extern struct node_t *myself;
Use splay trees instead of AVL trees.
2007-05-18 10:05:26 +00:00
extern splay_tree_t *node_tree;
Further implementation of doc/CONNECTIVITY. connection.[ch] is now split into a node, vertex and connection part.
2001-10-10 08:49:47 +00:00
Big bad commit: - Transition to new node/vertex/connection structures - Use new configuration handling everywhere - Linux tun/tap device handling cleanup - Start of IPv6 support in route.c It compiles, but it won't link.
2001-10-27 12:13:17 +00:00
extern void init_nodes(void);
extern void exit_nodes(void);
Prevent definitions from messing up attributes.
2003-07-30 21:52:41 +00:00
extern node_t *new_node(void) __attribute__ ((__malloc__));
- Non-blocking connect()s. - Socket handling revamped to use sockaddr_t. - tinc can now tunnel over IPv6. - Handle all addresses and subnets in network byte order. Only convert them when they need to be printed. - IPv6 subnets bigger than /128 now work. - Use %s and strerror(errno) instead of %m.
2002-02-18 16:25:19 +00:00
extern void free_node(node_t *);
extern void node_add(node_t *);
extern void node_del(node_t *);
Fix compile errors and warnings.
2003-07-29 10:50:15 +00:00
extern node_t *lookup_node(char *);
Introduce node IDs. This introduces a new type of identifier for nodes, which complements node names: node IDs. Node IDs are defined as the first 6 bytes of the SHA-256 hash of the node name. They will be used in future code in lieu of node names as unique node identifiers in contexts where space is at a premium (such as VPN packets). The semantics of node IDs is that they are supposed to be unique in a tinc graph; i.e. two different nodes that are part of the same graph should not have the same ID, otherwise things could break. This solution provides this guarantee based on realistic probabilities: indeed, according to the birthday problem, with a 48-bit hash, the probability of at least one collision is 1e-13 with 10 nodes, 1e-11 with 100 nodes, 1e-9 with 1000 nodes and 1e-7 with 10000 nodes. Things only start getting hairy with more than 1 million nodes, as the probability gets over 0.2%.
2014-09-21 17:17:02 +00:00
extern node_t *lookup_node_id(const node_id_t *);
Sprinkle around a lot of const and some C99 initialisers.
2003-07-24 12:08:16 +00:00
extern node_t *lookup_node_udp(const sockaddr_t *);
Use the TCP socket infrastructure for control sockets. The control socket code was completely different from how meta connections are handled, resulting in lots of extra code to handle requests. Also, not every operating system has UNIX sockets, so we have to resort to another type of sockets or pipes for those anyway. To reduce code duplication and make control sockets work the same on all platforms, we now just connect to the TCP port where tincd is already listening on. To authenticate, the program that wants to control a running tinc daemon must send the contents of a cookie file. The cookie is a random 256 bits number that is regenerated every time tincd starts. The cookie file should only be readable by the same user that can start a tincd. Instead of the binary-ish protocol previously used, we now use an ASCII protocol similar to that of the meta connections, but this can still change.
2009-11-07 22:43:25 +00:00
extern bool dump_nodes(struct connection_t *);
Fix some compiler warnings.
2011-05-17 08:58:22 +00:00
extern bool dump_traffic(struct connection_t *);
Handle UDP packets from different and ports than advertised. Previously, tinc used a fixed address and port for each node for UDP packet exchange. The port was the one advertised by that node as its listening port. However, due to NAT the port might be different. Now, tinc sends a different session key to each node. This way, the sending node can be determined from incoming packets by checking the MAC against all session keys. If a match is found, the address and port for that node are updated.
2009-04-02 23:05:23 +00:00
extern void update_node_udp(node_t *, const sockaddr_t *);
Big bad commit: - Transition to new node/vertex/connection structures - Use new configuration handling everywhere - Linux tun/tap device handling cleanup - Start of IPv6 support in route.c It compiles, but it won't link.
2001-10-27 12:13:17 +00:00
Fix whitespace.
2012-10-10 15:17:49 +00:00
#endif /* __TINC_NODE_H__ */
Reference in a new issue Copy permalink