Commit graph

2216 commits

Author SHA1 Message Date
Guus Sliepen
146760bd35 Fix typo. 2010-03-10 16:07:01 +01:00
Guus Sliepen
f2346771cf Log unauthorized Subnets when StrictSubnets is set. 2010-03-08 21:44:32 +01:00
Guus Sliepen
ee64b8ef33 ConnectTo does not mean tinc does not listen for incoming connections anymore. 2010-03-08 17:54:57 +01:00
Guus Sliepen
8ae54dc7c7 Fixes for the Forwarding option. 2010-03-02 23:27:50 +01:00
Guus Sliepen
3e4829e78a Add the DirectOnly option.
When this option is enabled, packets that cannot be sent directly to the destination node,
but which would have to be forwarded by an intermediate node, are dropped instead.
When combined with the IndirectData option,
packets for nodes for which we do not have a meta connection with are also dropped.
2010-03-02 22:55:24 +01:00
Guus Sliepen
95a6974de1 Add the Forwarding option.
This determines if and how incoming packets that are not meant for the local
node are forwarded.  It can either be off, internal (tinc forwards them itself,
as in previous versions), or kernel (packets are always sent to the TUN/TAP
device, letting the kernel sort them out).
2010-03-02 22:34:26 +01:00
Guus Sliepen
5038964032 Add the StrictSubnets option.
When this option is enabled, tinc will not accept dynamic updates of Subnets
from other nodes, but will only use Subnets read from local host config files
to build its routing table.
2010-03-02 00:18:44 +01:00
Guus Sliepen
9fed0ec34b Preload all Subnets in TunnelServer mode.
This simplifies the logic in protocol_subnet.c.
2010-03-01 23:44:56 +01:00
Guus Sliepen
d47ab576a2 Check for dirent.h. 2010-03-01 23:44:46 +01:00
Guus Sliepen
21f33b6382 Simplify reading lines from configuration files.
Instead of allocating storage for each line read, we now read into fixed-size
buffers on the stack. This fixes a case where a malformed configuration file
could crash tinc.
2010-03-01 23:35:02 +01:00
Guus Sliepen
3cb91d75f8 Clamp MSS to miminum MTU in both directions.
Clamp MSS of both incoming and outgoing packets, and use the minimum of the
PMTU of both directions when clamping.
2010-02-28 18:20:13 +01:00
Timothy Redaelli
ddb8cb0779 Add --disable-zlib configure option 2010-02-10 16:47:52 +01:00
Timothy Redaelli
eeb505af36 Add --disable-lzo configure option 2010-02-10 16:47:52 +01:00
Guus Sliepen
f7b2a2ea43 Releasing 1.0.12. 2010-02-03 22:49:48 +01:00
Guus Sliepen
cd0c2e86a4 Ensure peers with a meta connection always have our key.
This keeps UDP probes going, which in turn keeps NAT mappings alive.
2010-02-03 11:18:46 +01:00
Guus Sliepen
40d91ff619 Update copyright notices. 2010-02-02 22:49:21 +01:00
Guus Sliepen
44f8f61396 Try to set DF bit on BSDs as well.
Every operating system seems to have its own, slightly different way to disable
packet fragmentation. Emit a compiler warning when no suitable way is found.
On OpenBSD, it seems impossible to do it for IPv4.
2010-02-02 22:22:27 +01:00
Guus Sliepen
ed14ef93b4 Immediately exchange keys when establishing a meta connection.
This in turn will trigger PMTU discovery, and ensures nodes know each others
reflexive UDP address and port.
2010-02-02 01:02:40 +01:00
Guus Sliepen
4a0b998151 Determine peer's reflexive address and port when exchanging keys.
To help peers that are behind NAT connect to each other directly via UDP, they
need to know the exact external address and port that they use. Keys exchanged
between NATted peers necessarily go via a third node, which knows this address
and port, and can append this information to the keys, which is in turned used
by the peers.

Since PMTU discovery will immediately trigger UDP communication from both sides
to each other, this should allow direct communication between peers behind
full, address-restricted and port-restricted cone NAT.
2010-02-02 00:51:44 +01:00
Guus Sliepen
d15099e002 Be liberal in accepting KEY_CHANGED/REQ_KEY/ANS_KEY requests.
When we got a key request for or from a node we don't know, we disconnected the
node that forwarded us that request.  However, especially in TunnelServer mode,
disconnecting does not help. We now ignore such requests, but since there is no
way of telling the original sender that the request was dropped, we now retry
sending REQ_KEY requests when we don't get an ANS_KEY back.
2010-01-23 18:48:01 +01:00
Guus Sliepen
469fa318bc Run subnet-up/down scripts for local MAC addresses as well. 2010-01-22 21:59:40 +01:00
Guus Sliepen
5d194b9f87 Fix subnet-up/down scripts being called with an empty SUBNET.
Commit 052ff8b2c5 contained a bug that causes
scripts to be called with an empty, or possibly corrupted SUBNET variable when
a Subnet is added or removed while the owner is still online. In router mode,
this normally does not happen, but in switch mode this is normal.
2010-01-22 21:47:26 +01:00
Guus Sliepen
b455111184 Make MSS clamping configurable, but enabled by default.
It can either be set globally in tinc.conf, or per-node in host config files.
2010-01-16 20:16:33 +01:00
Guus Sliepen
95928f7c29 Also clamp MSS of TCP over IPv6 packets. 2010-01-16 19:32:33 +01:00
Guus Sliepen
b1945f70fe Optimise handling of select() returning <= 0.
Before, we immediately retried select() if it returned -1 and errno is EAGAIN
or EINTR, and if it returned 0 it would check for network events even if we
know there are none.  Now, if -1 or 0 is returned we skip checking network
events, but we do check for timer and signal events.
2010-01-15 23:41:14 +01:00
Guus Sliepen
51099658c9 Ping nodes immediately when receiving SIGALRM.
One reason to send the ALRM signal is to let tinc immediately try to connect to
outgoing nodes, for example when PPP or DHCP configuration of the outgoing
interface finished.  Conversely, when the outgoing interface goes down one can
now send this signal to let tinc quickly detect that links are down too.
2010-01-15 23:19:08 +01:00
Guus Sliepen
2a538ed343 Clamp MSS of IPv4 SYN packets.
Some ISPs block the ICMP Fragmentation Needed packets that tinc sends.  We
clamp the MSS of IPv4 SYN packets to prevent hosts behind those ISPs from
sending too large packets.
2010-01-15 13:42:37 +01:00
Guus Sliepen
35b1c25093 Move source from lib/ to src/.
The utility functions in the lib/ directory do not really form a library.
Also, now that we build two binaries, tincctl does not need everything that was
in libvpn.a, so it is wasteful to link to it.
2009-12-31 13:19:13 +01:00
Guus Sliepen
41497246ee Remove unused AVL tree library. 2009-12-31 13:09:14 +01:00
Guus Sliepen
e4812ba9cc Allow Port and PMTUDiscovery options in tinc.conf, always enable PMTUDiscovery by default. 2009-12-24 12:42:21 +01:00
Guus Sliepen
7203d5fb07 Use xstrdup() instead of xasprintf() to copy static strings. 2009-12-23 19:51:55 +01:00
Guus Sliepen
a9a803d566 Allow port to be specified in Address statements.
This allows one to connect to use more than one port number to connect to
another node. The syntax is now:

Address = <hostname> [<port>]
2009-12-23 19:49:38 +01:00
Guus Sliepen
43e34d8180 Do not fragment packets smaller than RFC defined minimum MTUs.
For IPv6, the minimum MTU is 1280 (RFC 2460), for IPv4 the minimum is actually
68, but this is such a low limit that it will probably hurt performance, so we
do as if it is 576 (the minimum packet size hosts should be able to handle, RFC
791). If we detect a path MTU smaller than those minima, and we have to handle
a packet that is bigger than the PMTU but smaller than those minima, we forward
them via TCP instead of fragmenting or returning ICMP packets.
2009-12-23 19:22:06 +01:00
Guus Sliepen
3626165002 Do not use hardcoded cipher block length when padding. 2009-12-19 23:23:25 +01:00
Guus Sliepen
f542ef8f9e Fix alignment of results of RSA operations when using libgcrypt.
If the result of an RSA encryption or decryption operation can be represented
in less bytes than given, gcry_mpi_print() will not add leading zero bytes. Fix
this by adding those ourself.
2009-12-19 22:17:39 +01:00
Guus Sliepen
4c68a8cb60 Do not consider unreachable nodes when trying to determine packet origin. 2009-12-19 20:53:48 +01:00
Guus Sliepen
74e50d52e0 recv() and recvfrom() return int, do not prematurely cast the return value. 2009-12-19 20:52:19 +01:00
Guus Sliepen
0bfd69a273 Fix reading raw RSA keys with libgcrypt. 2009-12-19 20:26:30 +01:00
Guus Sliepen
0ff44fc241 Reinitialise block cipher IV each time we encrypt a packet when using libgcrypt. 2009-12-19 20:10:38 +01:00
Guus Sliepen
3c90be7678 Fix block cipher padding when using libgcrypt. 2009-12-19 18:57:54 +01:00
Guus Sliepen
c845bc109c Fix packet authentication.
This wasn't working at all, since we didn't do HMAC but just a plain hash.
Also, verification of packets failed because it was checking the whole packet,
not the packet minus the HMAC.
2009-12-18 01:15:25 +01:00
Guus Sliepen
10d609b1f0 Start of a GUI for tinc. 2009-12-16 21:18:21 +01:00
Guus Sliepen
55ef2f806f Allow connections to be closed.
This only closes existing meta connections, it may not affect node
reachability.
2009-12-16 21:16:56 +01:00
Guus Sliepen
f12c36afd5 Include missing header files and source directories. 2009-12-14 21:25:06 +01:00
Guus Sliepen
2a410cd26d Do not include OpenSSL headers directly. 2009-12-14 21:20:56 +01:00
Guus Sliepen
5d78e497f1 Fix compiler warnings. 2009-12-11 22:38:06 +01:00
Guus Sliepen
d6c50eb73a Merge branch 'master' into 1.1
Conflicts:
	src/subnet.c
2009-12-11 22:31:27 +01:00
Guus Sliepen
fec14791e8 Only call ioctlsocket() on Windows. 2009-12-11 22:24:07 +01:00
Guus Sliepen
369fe1ab1c Forget addresses of unreachable nodes.
We clear the cached address used for UDP connections when a node becomes
unreachable. This also prevents host-up scripts from passing the old, cached
address from when the host becomes reachable again from a different address.
2009-12-08 22:18:37 +00:00
Guus Sliepen
62f235e05c Remove unused variable in lookup_subnet_*() functions. 2009-11-28 11:56:13 +00:00