Add the Forwarding option.
This determines if and how incoming packets that are not meant for the local node are forwarded. It can either be off, internal (tinc forwards them itself, as in previous versions), or kernel (packets are always sent to the TUN/TAP device, letting the kernel sort them out).
This commit is contained in:
parent
5038964032
commit
95a6974de1
5 changed files with 79 additions and 4 deletions
|
@ -199,6 +199,26 @@ Tinc will expect packets read from the virtual network device
|
||||||
to start with an Ethernet header.
|
to start with an Ethernet header.
|
||||||
.El
|
.El
|
||||||
|
|
||||||
|
.It Va Forwarding Li = off | internal | kernel Pq internal
|
||||||
|
This option selects the way indirect packets are forwarded.
|
||||||
|
.Bl -tag -width indent
|
||||||
|
|
||||||
|
.It off
|
||||||
|
Incoming packets that are not meant for the local node,
|
||||||
|
but which should be forwarded to another node, are dropped.
|
||||||
|
|
||||||
|
.It internal
|
||||||
|
Incoming packets that are meant for another node are forwarded by tinc internally.
|
||||||
|
|
||||||
|
.Pp
|
||||||
|
This is the default mode, and unless you really know you need another forwarding mode, don't change it.
|
||||||
|
|
||||||
|
.It kernel
|
||||||
|
Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
|
||||||
|
This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
|
||||||
|
and can also help debugging.
|
||||||
|
.El
|
||||||
|
|
||||||
.It Va GraphDumpFile Li = Ar filename Bq experimental
|
.It Va GraphDumpFile Li = Ar filename Bq experimental
|
||||||
If this option is present,
|
If this option is present,
|
||||||
.Nm tinc
|
.Nm tinc
|
||||||
|
|
|
@ -818,6 +818,26 @@ Tinc will expect packets read from the virtual network device
|
||||||
to start with an Ethernet header.
|
to start with an Ethernet header.
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
|
@cindex Forwarding
|
||||||
|
@item Forwarding = <off|internal|kernel> (internal)
|
||||||
|
This option selects the way indirect packets are forwarded.
|
||||||
|
|
||||||
|
@table @asis
|
||||||
|
@item off
|
||||||
|
Incoming packets that are not meant for the local node,
|
||||||
|
but which should be forwarded to another node, are dropped.
|
||||||
|
|
||||||
|
@item internal
|
||||||
|
Incoming packets that are meant for another node are forwarded by tinc internally.
|
||||||
|
|
||||||
|
This is the default mode, and unless you really know you need another forwarding mode, don't change it.
|
||||||
|
|
||||||
|
@item kernel
|
||||||
|
Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
|
||||||
|
This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
|
||||||
|
and can also help debugging.
|
||||||
|
@end table
|
||||||
|
|
||||||
@cindex GraphDumpFile
|
@cindex GraphDumpFile
|
||||||
@item GraphDumpFile = <@var{filename}> [experimental]
|
@item GraphDumpFile = <@var{filename}> [experimental]
|
||||||
If this option is present,
|
If this option is present,
|
||||||
|
|
|
@ -355,8 +355,21 @@ bool setup_myself(void) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
free(mode);
|
free(mode);
|
||||||
} else
|
}
|
||||||
routing_mode = RMODE_ROUTER;
|
|
||||||
|
if(get_config_string(lookup_config(config_tree, "Forwarding"), &mode)) {
|
||||||
|
if(!strcasecmp(mode, "off"))
|
||||||
|
routing_mode = FMODE_OFF;
|
||||||
|
else if(!strcasecmp(mode, "internal"))
|
||||||
|
routing_mode = FMODE_INTERNAL;
|
||||||
|
else if(!strcasecmp(mode, "kernel"))
|
||||||
|
routing_mode = FMODE_KERNEL;
|
||||||
|
else {
|
||||||
|
logger(LOG_ERR, "Invalid forwarding mode!");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
free(mode);
|
||||||
|
}
|
||||||
|
|
||||||
choice = true;
|
choice = true;
|
||||||
get_config_bool(lookup_config(myself->connection->config_tree, "PMTUDiscovery"), &choice);
|
get_config_bool(lookup_config(myself->connection->config_tree, "PMTUDiscovery"), &choice);
|
||||||
|
|
19
src/route.c
19
src/route.c
|
@ -33,6 +33,7 @@
|
||||||
#include "utils.h"
|
#include "utils.h"
|
||||||
|
|
||||||
rmode_t routing_mode = RMODE_ROUTER;
|
rmode_t routing_mode = RMODE_ROUTER;
|
||||||
|
fmode_t forwarding_mode = FMODE_INTERNAL;
|
||||||
bool priorityinheritance = false;
|
bool priorityinheritance = false;
|
||||||
int macexpire = 600;
|
int macexpire = 600;
|
||||||
bool overwrite_mac = false;
|
bool overwrite_mac = false;
|
||||||
|
@ -383,7 +384,10 @@ static void route_ipv4_unicast(node_t *source, vpn_packet_t *packet) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!subnet->owner->status.reachable)
|
if(!subnet->owner->status.reachable)
|
||||||
route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_UNREACH);
|
return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_UNREACH);
|
||||||
|
|
||||||
|
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
|
||||||
|
return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_ANO);
|
||||||
|
|
||||||
if(priorityinheritance)
|
if(priorityinheritance)
|
||||||
packet->priority = packet->data[15];
|
packet->priority = packet->data[15];
|
||||||
|
@ -531,7 +535,10 @@ static void route_ipv6_unicast(node_t *source, vpn_packet_t *packet) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!subnet->owner->status.reachable)
|
if(!subnet->owner->status.reachable)
|
||||||
route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE);
|
return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE);
|
||||||
|
|
||||||
|
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
|
||||||
|
return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
|
||||||
|
|
||||||
via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
|
via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
|
||||||
|
|
||||||
|
@ -796,6 +803,9 @@ static void route_mac(node_t *source, vpn_packet_t *packet) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
|
||||||
|
return;
|
||||||
|
|
||||||
// Handle packets larger than PMTU
|
// Handle packets larger than PMTU
|
||||||
|
|
||||||
node_t *via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
|
node_t *via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
|
||||||
|
@ -824,6 +834,11 @@ static void route_mac(node_t *source, vpn_packet_t *packet) {
|
||||||
}
|
}
|
||||||
|
|
||||||
void route(node_t *source, vpn_packet_t *packet) {
|
void route(node_t *source, vpn_packet_t *packet) {
|
||||||
|
if(forwarding_mode == FMODE_KERNEL) {
|
||||||
|
send_packet(myself, packet);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if(!checklength(source, packet, ether_size))
|
if(!checklength(source, packet, ether_size))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
|
|
@ -30,7 +30,14 @@ typedef enum rmode_t {
|
||||||
RMODE_ROUTER,
|
RMODE_ROUTER,
|
||||||
} rmode_t;
|
} rmode_t;
|
||||||
|
|
||||||
|
typedef enum fmode_t {
|
||||||
|
FMODE_OFF = 0,
|
||||||
|
FMODE_INTERNAL,
|
||||||
|
FMODE_KERNEL,
|
||||||
|
} fmode_t;
|
||||||
|
|
||||||
extern rmode_t routing_mode;
|
extern rmode_t routing_mode;
|
||||||
|
extern fmode_t forwarding_mode;
|
||||||
extern bool overwrite_mac;
|
extern bool overwrite_mac;
|
||||||
extern bool priorityinheritance;
|
extern bool priorityinheritance;
|
||||||
extern int macexpire;
|
extern int macexpire;
|
||||||
|
|
Loading…
Reference in a new issue