Commit graph

2958 commits

Author SHA1 Message Date
Guus Sliepen
e355088535 Use iface instead of interface.
This was accidentally added in commit 2f03a5d.
2016-04-10 17:01:52 +02:00
Guus Sliepen
6f97c00115 Update THANKS. 2016-04-10 17:01:04 +02:00
Guus Sliepen
8be447ac02 Update .gitignore. 2016-04-10 16:51:03 +02:00
Guus Sliepen
9f0fb224a6 Don't compile getopt*.c if the system provides getopt_long().
# Conflicts:
#	configure.ac
#	src/Makefile.am
#	src/tincd.c
2016-04-10 16:47:32 +02:00
Guus Sliepen
c2726dae62 Fix typo.
Found by LunarShaddow.
2016-04-10 16:38:45 +02:00
LunarShaddow
e44c337eae re-arrange include sequence to avoid a mingw introduced bug.
refers: https://www.cygwin.com/ml/cygwin/2012-12/msg00194.html

# Conflicts:
#	src/cygwin/device.c
2016-03-07 21:54:13 +01:00
LunarShaddow
af83d0b9e8 fix typo 2016-03-07 21:51:44 +01:00
Guus Sliepen
bf50b3502a Fix for botched cherry-pick commit 60fb230. 2016-02-28 16:38:49 +01:00
Guus Sliepen
1ceea259c3 Add warnings for bad combinations of Device and Interface.
On Linux, the name of the tun/tap interface can be set freely. However,
on most other operating systems, tinc cannot change the name of the
interface. In those situations, it is possible to specify a Device and
an Interface that conflict with each other. On BSD, this can cause
$INTERFACE to be set incorrectly, on Windows, this results in a
potentially unreliable way in which a TAP-Win32 interface is selected.

# Conflicts:
#	src/bsd/device.c
2016-02-28 16:37:52 +01:00
Guus Sliepen
e3f80e9167 Small fixes for the documentation.
# Conflicts:
#	doc/tinc.texi
2016-02-28 16:36:15 +01:00
Guus Sliepen
72cfd4f047 Clarify that scripts are called synchronously.
# Conflicts:
#	doc/tinc.conf.5.in
#	doc/tinc.texi
2016-02-28 16:35:21 +01:00
Guus Sliepen
4d7469e0da Fix forwarding of edge updates.
Commit e4670fc accidentily prevented ADD_EDGE messages from propagating
in some cases.
2016-02-28 16:31:31 +01:00
Guus Sliepen
60fb2308e5 Improve performance of edge updates. 2016-02-28 16:29:51 +01:00
Vittorio Gambaletta (VittGam)
994adadf27 Remove forward declaration for do_decrement_ttl.
Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>

# Conflicts:
#	src/route.c
2016-02-28 16:24:12 +01:00
Vittorio Gambaletta (VittGam)
0f3ae1a9f2 s/broadcast_packet_helper/route_broadcast/
Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>

# Conflicts:
#	src/route.c
2016-02-28 16:19:00 +01:00
Vittorio Gambaletta (VittGam)
496f775568 Fix DecrementTTL option for packets destined to the local node.
Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>

# Conflicts:
#	src/route.c
2016-02-28 16:17:23 +01:00
Vittorio Gambaletta (VittGam)
17e54ea0be Try to reply with node address only when decrementing the TTL.
Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
2016-02-28 15:58:47 +01:00
Vittorio Gambaletta (VittGam)
92203bdbcb Fix source IP address for ICMP unreachable packets generated by tinc.
Try to send ICMP unreachable replies from an address assigned to the
local machine, instead of the destination address of the original
packet.

The address is found by looking up the route towards the sender of
the packet that generated the error; in usual configurations, this
is the tinc interface.

This also fixes the traceroute display in mtr when using the
DecrementTTL option.

Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>

# Conflicts:
#	src/route.c
2016-02-28 15:58:25 +01:00
Vittorio Gambaletta (VittGam)
a8a3a2c8ce Fix DecrementTTL option.
The option was not actually working, as it could be seen on traceroute or mtr.

The problem is that it was checking if the TTL was < 1 (so equal to 0) before decrementing it.

This meant that a packet with a TTL of 1 was being sent with a TTL of 0 on the VPN, instead of being discarded with the ICMP error message.

Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>

# Conflicts:
#	src/route.c
2016-02-28 15:54:33 +01:00
Guus Sliepen
ac9e32ff91 Use nostdinc instead of overriding DEFAULT_INCLUDES. 2016-02-28 15:48:19 +01:00
Guus Sliepen
96dd6e5f6c Only check for -fno-strict-overflow if -fwrapv does not work. 2016-02-28 15:42:04 +01:00
Guus Sliepen
92f0c4db77 Update .gitignore. 2016-02-28 15:41:51 +01:00
Guus Sliepen
d8ca00fe40 Add the ability to sign and verify files. 2016-01-27 00:09:29 +01:00
Guus Sliepen
7418e9077f Merge remote-tracking branch 'mweinelt/tinc-gui' into 1.1 2016-01-17 23:29:23 +01:00
Guus Sliepen
420989e4c3 Only add a reflexive address when we're sure it's working. 2016-01-14 15:39:38 +01:00
thorkill
324c84aebd On FreeBSD backtrace() needs -lexecinfo 2015-12-10 23:33:15 +01:00
thorkill
371b3a2ba5 fix linking problem on FreeBSD 2015-12-10 23:17:13 +01:00
thorkill
eb84af49fa Make handle_incoming_vpn_packet compile 2015-12-10 17:26:18 +01:00
thorkill
07ec2d2eb2 Merge remote-tracking branch 'remotes/guus/1.1' into thkr-1.1-ponyhof 2015-12-10 17:08:29 +01:00
thorkill
1dd8033ea5 Added excessive debug output to sptps 2015-12-10 17:08:03 +01:00
Guus Sliepen
cda5a477c8 Use static buffers for recvmmsg(), initialize them only as needed.
As suggested by Michael Tokarev.
2015-12-10 16:45:05 +01:00
Guus Sliepen
e4fd81ed2d Add support for recvmmsg().
Based on a patch from Samuel Thibault and input from Michael Tokarev.
2015-12-10 16:36:10 +01:00
thorkill
c94214500f Merge remote-tracking branch 'remotes/guus/1.1' into thkr-1.1-ponyhof 2015-12-03 16:21:47 +01:00
thorkill
42381038ba Forget nodes while forwarding subnet informations 2015-11-30 01:00:28 +01:00
thorkill
dff1743322 Do not forward informations about other nodes if they are not reachable and the last_state_change is larger than 2 x KeyExpire 2015-11-30 00:22:51 +01:00
thorkill
bdcbf10428 Lets send only nodes and edge info when n->last_state_change > 0 and this information is no older than 1 hour 2015-11-29 11:52:14 +01:00
thorkill
781dac00d5 Do not send informations about unreachable nodes - testing highly experimental, the problem is that once a node has been introduced to the network it will never be deleted until all tincd will be disabled in the whole network at once 2015-11-29 11:41:13 +01:00
thorkill
23c78217b1 Removed -fsanitize=undefined - I have missed it on last commit 2015-11-29 09:46:53 +01:00
thorkill
08f74b5603 Fix linker flags 2015-11-27 17:51:34 +01:00
Guus Sliepen
cef40b8b97 list_delete() already free()s the deleted element. 2015-11-26 11:29:54 +01:00
thorkill
519f06e281 Fix a segfault in setup_outgoing_connection() on outgoing removal 2015-11-24 17:25:53 +01:00
thorkill
2ec9f1124d Merged with guus/1.1 2015-11-24 17:01:11 +01:00
thorkill
f58e8679e7 Revert "Working on fix "stuck" outgoing connections."
This reverts commit 703ed7fff6.
2015-11-24 16:55:03 +01:00
Guus Sliepen
9fdf4278f8 Don't leave dead outgoing_t's in the outgoing_list.
If an outgoing connection cannot be made because no address is known for
it, it should be removed from the outgoing_list, otherwise it will
prevent it from being re-added later when we do know addresses for it.
2015-11-24 16:48:44 +01:00
Etienne Dechamps
c58eba587d Add upnp.h to tincd SOURCES.
This was missing from 513bffe1fe.
2015-11-22 23:03:03 +01:00
thorkill
703ed7fff6 Working on fix "stuck" outgoing connections.
This problem occurs on "road-warriors" when tincd setups
outgoing connections but you do not have any active uplink then
dns-lookups will fail and any following attempt to make outgoing
connections will keep failing forever.
2015-11-22 22:50:51 +01:00
Etienne Dechamps
613d586afd Don't unset validkey when receiving SPTPS handshakes over ANS_KEY.
This fixes a hairy race condition that was introduced in
1e89a63f16, which changed
the underlying transport of handshake packets from REQ_KEY to ANS_KEY.
Unfortunately, what I missed in that commit is, on the receiving side,
there is a slight difference between req_key_h() and ans_key_h():
indeed, the latter resets validkey to false.

The reason why this is not a problem during typical operation is
because the normal SPTPS key regeneration procedure looks like this:

    KEX ->
    <- KEX
    SIG ->
    <- SIG

All these messages are sent over ANS_KEY, therefore the receiving side
will unset validkey. However, that's typically not a problem in practice
because upon reception of the last message (SIG), SPTPS will call
sptps_receive_record(), which will set validkey to true again, and
everything works out fine in the end.

However, that was the *typical* scenario. Now let's assume that the
SPTPS channel is in active use at the same time key regeneration
happens. Specifically, let's assume a normal VPN data packet sneaks in
during the key regeneration procedure:

    KEX ->
    <- KEX
    <- (SPTPS packet, over TCP or UDP)
    <- KEX (wtf?)
    SIG -> (refused with Invalid packet seqno: XXX != 0)

At this point, both nodes are extremely confused and the SPTPS channel
becomes unusable with various errors being thrown on both sides. The
channel will stay down until automatic SPTPS channel restart kicks in
after 10 seconds.

(Note: the above is just an example - the race can occur on either side
whenever a packet is sent during the period of time between KEX and SIG
messages are received by the node sending the packet.)

I've seen this race occur in the wild - it is very likely to occur if
key regeneration occurs on a heavily loaded channel. It can be
reproduced fairly easily by setting KeyExpire to a short value (a few
seconds) and then running something like ping -f foobar -i 0.01.

The reason why this occurs is because tinc's TX code path triggers the
following:

 - send_packet()
 - try_tx()
 - try_tx_sptps()
 - validkey is false because we just received an ANS_KEY message
 - waitingforkey is false because it's not used for key regeneration
 - send_req_key()
 - SPTPS channel restart (sptps_stop(), sptps_start()).

Obviously, it all goes downhill from there and the two nodes get very
confused quickly (for example the seqno gets reset, hence the error
messages).

This commit fixes the issue by keeping validkey set when SPTPS data is
received over ANS_KEY messages.
2015-11-22 17:53:52 +00:00
Guus Sliepen
95935cecb6 Update THANKS file. 2015-11-21 19:41:14 +01:00
Etienne Dechamps
0f6d34dc1b Try to ensure we build correctly against various libminiupnpc versions.
Unfortunately, libminiupnpc has a somewhat... "peculiar" approach to
backwards compatibility for their API, where they reserve the right to
make breaking changes when they feel like it, forcing users to resort
to #ifdefs to ensure they use the correct API. Sigh.

Previously, tinc would only build against API versions <= 13, because I
was doing my initial development using miniupnpc-1.9.20140610 which is
the version that ships with Debian. The changes in this commit are
required for tinc to build against more recent versions, from
1.9.20150730 to the latest one at the time of this commit, 1.9.20151026.
2015-11-21 16:18:01 +00:00
Etienne Dechamps
675e3b497b Allow tinc to be built with miniupnpc on Windows.
Contrary to what I expected, it so happens that modern versions of MinGW
include an implementation of pthread natively by default, so there is no
need to introduce Win32-specific threading code. This means the only
changes required to make UPnP work on Windows are just build parameter
tuning.

This commit forces MinGW to be built statically. This makes linking
against miniupnpc simpler (otherwise we would have to handle the mess
of dllimport & co.) and it also prevents libwinpthread from being linked
dynamically (which it is by default), as this would require additional
DLLs to be distributed. Since static linking is how tinc is
traditionally built on Windows, I don't expect this to be a big deal.
2015-11-21 16:18:01 +00:00