Commit graph

2491 commits

Author SHA1 Message Date
thorkill
df42bc3621 Temporal fix for broken hopes. 2015-03-18 15:45:52 +01:00
thorkill
157bc90e64 Temporal fix for 'unknown source' and broken direct UDP links. 2015-03-18 14:54:45 +01:00
Guus Sliepen
6568cffd52 --syslog and --logfile are mutually exclusive. 2015-03-14 12:02:29 +00:00
Guus Sliepen
15ad628f06 Fix the case where we detach and use --logfile. 2015-03-14 12:02:06 +00:00
Guus Sliepen
04fc19112d Merge remote-tracking branch 'seehuhn/1.1' into 1.1 2015-03-14 11:45:55 +00:00
Guus Sliepen
f9ecaa1076 Merge remote-tracking branch 'dechamps/sptpsabort' into 1.1 2015-03-14 11:44:38 +00:00
Jochen Voss
19d16e40cc Add a new --syslog option for tincd.
This commit adds a new command line option for tincd which allows to
use tincd in non-detached mode with log messages still going to
syslog.  The motivation for this change is to ease use of tincd
in Docker containers.
2015-03-13 11:05:22 +00:00
Etienne Dechamps
2e7f68ad2b Don't abort() willy-nilly in SPTPS code.
If receive_handshake() or the receive_record() user callback returns an
error, sptps_receive_data_datagram() crashes the entire process. This is
heavy-handed, makes tinc very brittle to certain failures (i.e.
unexpected packets), and is inconsistent with the rest of SPTPS code.
2015-03-08 17:35:06 +00:00
Etienne Dechamps
c23e50385d Fix UDP/MTU discovery in intermediate SPTPS UDP relays.
Refactoring commit 81578484dc seems to
have introduced a regression as it moved discovery code away from
send_sptps_data_priv() and within send_packet(). The issue is,
send_packet() is not called when the node is simply relaying an UDP
SPTPS packet: indeed, send_sptps_data_priv() is called directly from
handle_incoming_vpn_data() in that case.

As a result, try_tx_sptps() is not called in the relaying case, which in
practice means that a relay doesn't initiate UDP/MTU discovery with the
next relay (unless some other activity compels it to do so). This can
result in packets getting sent over TCP instead of UDP from the relay.
2015-03-08 14:40:27 +00:00
Etienne Dechamps
0f8e2cc78c Fix dynamic UDP SPTPS relaying.
Refactoring commit 0e65326047 broke UDP
SPTPS relaying by accidently removing try_tx_sptps() logic related to
establishing connectivity to so-called "dynamic" relays (i.e. relays
that are not specified by IndirectData configuration statements, but
are used on-the-fly to circumvent loss of direct UDP connectivity).

Specifically, the TX path was not trying to establish a tunnel to
dynamic relays (nexthop) anymore. This meant that MTU was not being
discovered with dynamic relays, which basically meant that all packets
being sent to dynamic relays went over TCP, thereby defeating the whole
purpose of SPTPS UDP relaying.

Note that this bug could easily go unnoticed if a tunnel was established
with the dynamic tunnel for some other reason (i.e. exchanging actual
data packets with the relay node).
2015-03-08 14:28:07 +00:00
xentec
537c352886 Fix compile errors introduced in cfe9285adf
Compiling with `--disable-legacy-protocol` resulted in failure caused by the missing exclusion of some symbols in net_packet.c.
2015-02-17 04:02:35 +01:00
Guus Sliepen
cffcaf966b Suppress warnings about parsing Ed25519 keys when they are not present. 2015-02-16 08:42:30 +01:00
Guus Sliepen
833a8a048b Document that --force should precede commands. 2015-02-16 08:26:49 +01:00
Sven-Haegar Koch
85000a30ca Fixed variables.test testsuite after 'Make "tinc add" idempotent.' change. 2015-02-10 07:54:52 +01:00
Guus Sliepen
4b2ddded2c Make "tinc add" idempotent.
When calling "tinc add" multiple times with the same variable and value,
make sure only one unique line is added to the configuration file.
2015-02-09 15:23:59 +01:00
Guus Sliepen
0b310bf406 Always call res_init() before getaddrinfo().
Unfortunately, glibc assumes that /etc/resolv.conf is a static file that
never changes. Even on servers, /etc/resolv.conf might be a dynamically
generated file, and we never know when it changes. So just call
res_init() every time, so glibc uses up-to-date nameserver information.
2015-02-09 15:16:36 +01:00
Guus Sliepen
268e3ffca7 Add the "fsck" command to the CLI.
This will report possible problems in the configuration files, and in
some cases offers to fix them.

The code is far from perfect yet. It expects keys to be in their default
locations, it doesn't check for Public/PrivateKey[File] statemetns yet.
It also does not correctly handle Ed25519 public keys yet.
2015-01-15 23:06:38 +01:00
Guus Sliepen
a95e182d9c Improve packet source detection.
When no UDP communication has been done yet, tinc establishes a guess
for the UDP address+port of each node. However, when there are multiple nodes
behind a NAT, tinc will guess the exact same address+port combination
for them, because it doesn't know about the NAT mappings yet. So when
receiving a packet, don't trust that guess unless we have confirmed UDP
communication.

This ensures try_harder() is called in such cases. However, this
function was actually very inefficient, trying to verify packets
multiple times for nodes with multiple edges. Only call try_mac() at
most once per node.
2015-01-12 14:43:32 +01:00
Guus Sliepen
ae5b56c03d Send gratuitous type 2 probe replies.
If we receive any traffic from another node, we periodically send back a
gratuitous type 2 probe reply with the maximum received packet length.
On the other node, this causes the udp and perhaps mtu probe timers to
be reset, so it does not need to send a probe request. Gratuitous probe
replies from another node also count as received traffic for this
purpose, so for nodes that also have a meta-connection, UDP keepalive
packets in principle can now solely be type 2 replies. This reduces the
amount of probe traffic even more.

To work, gratuitous replies should be sent slightly more often than
udp_discovery_keepalive_interval, so probe requests won't be triggered.
This also means that the timer resolution must be smaller than the
difference between the two, and at the moment it's kind of a hack.
2015-01-11 17:44:50 +01:00
Guus Sliepen
7b76b7ac35 Send the size of the largest recently received packets in type 2 probe replies. 2015-01-11 16:14:05 +01:00
Guus Sliepen
79b6adb489 Move UDP probe reply code into its own function.
This reduces the level of indentation, and prepares for sending gratuitous type 2 probe replies.
2015-01-11 16:12:57 +01:00
Guus Sliepen
f0afde0467 Keep track of the largest UDP packet size received from a node. 2015-01-11 16:10:58 +01:00
Guus Sliepen
d639415937 Move detection of PMTU decrease to try_mtu().
When we have fixed the PMTU, n->mtuprobes == -1. When we send MTU probes
when mtuprobes == -1, decrease mtuprobes, and reset it back to -1 in
mtu_probe_h(). If mtuprobes < -1, send MTU probes every second, until
mtuprobes <= -4, in which case we will restart MTU discovery.
2015-01-11 15:38:56 +01:00
Guus Sliepen
e97e9b22cb Send MTU probes only once every PingInterval. 2015-01-11 14:44:27 +01:00
Guus Sliepen
088b5fd9ee Remove RTT and packet loss estimation code.
This is not working at all anymore. Just remove it, and we'll do another
attempt at RTT, bandwidth and packet loss estimation after the new
probing code stabilizes.
2015-01-11 14:44:15 +01:00
Guus Sliepen
ce7079f4af Only send small packets during UDP probes.
We are trying to decouple UDP probing from MTU probing, so only send
very small packets during UDP probing. This significantly reduces the
amount of traffic sent (54 to 67 bytes per probe instead of 1500 bytes).

This means the MTU probing code takes over sending PMTU sized probes,
but this commit does not take care of detecting PMTU decreases.
2015-01-11 13:53:16 +01:00
Guus Sliepen
e4077c00c6 Immediately send our key when a meta-connection is established.
This is what 1.0 does, and speeds up the UDP probing.
2015-01-11 13:51:55 +01:00
Guus Sliepen
eb7a0db18e Always keep UDP mappings alive for nodes that also have a meta-connection.
This is necessary for assisting with UDP hole punching. But we don't
need to know the PMTU for this, so only send UDP probes.
2015-01-11 13:31:01 +01:00
Guus Sliepen
545ecb3396 Fix segfault when sptps_test cannot open the key files. 2015-01-11 01:52:37 +01:00
Etienne Dechamps
69d4ccc437 Fix typo in logging statement.
This was introduced in cfe9285adf.
2015-01-11 00:04:01 +01:00
Guus Sliepen
6fcfe763aa Don't send probe replies if we don't have the other's key.
This can happen with the legacy protocol. Don't try to send anything
back in this case, otherwise it will be sent via TCP, which is silly.
2015-01-10 23:58:35 +01:00
Guus Sliepen
f3801cb543 Proactively send our own key when we request another node's key. 2015-01-10 23:52:23 +01:00
Guus Sliepen
c26bb47af1 Fix size of type 2 probe replies.
Type 2 replies should be as small as possible. The minimum payload size
for probe packets is 14 bytes, otherwise they won't be recognized as
such.
2015-01-10 23:33:55 +01:00
Guus Sliepen
0209f12d27 Correctly estimate the initial MTU for legacy packets. 2015-01-10 23:00:51 +01:00
Guus Sliepen
0e65326047 Try to clarify the new code in net_packet.c a bit.
Mainly by trying to reduce complex if statements, by splitting try_tx() into try_tx_legacy() and
try_tx_sptps(), since they don't share a lot of code.
2015-01-10 22:28:47 +01:00
Guus Sliepen
6056f1c13b Remember whether we sent our key to another node.
In tinc 1.0.x, this was tracked in node->inkey, however in tinc 1.1 we have an abstraction layer for
the legacy cipher and digest, and we don't keep an explicit copy of the key around. We cannot use
cipher_active() or digest_active(), since it is possible to set both to the null algorithm. So add a bit to
node_status_t.
2015-01-10 22:26:33 +01:00
Guus Sliepen
f1f2df0738 Use global "now" in try_udp() and try_mtu(). 2015-01-04 16:00:02 +01:00
Guus Sliepen
b737103a91 Use void pointers for opaque data blobs in the SHA512 code. 2015-01-04 14:19:23 +01:00
Guus Sliepen
4b42518813 Fix indentation and some whitespace issues. 2015-01-04 14:15:35 +01:00
Etienne Dechamps
07108117ce Use a different UDP discovery interval if the tunnel is established.
This introduces a new configuration option,
UDPDiscoveryKeepaliveInterval, which is used as the UDP discovery
interval once the UDP tunnel is established. The pre-existing option,
UDPDiscoveryInterval, is therefore only used before UDP connectivity
is established.

The defaults are set so that tinc sends UDP pings more aggressively
if the tunnel is not established yet. This is appropriate since the
size of probes in that scenario is very small (16 bytes).
2015-01-03 10:12:36 +00:00
Etienne Dechamps
06345f89b9 Recalculate and resend MTU probes if they are too large for the system.
Currently, if a MTU probe is sent and gets rejected by the system
because it is too large (i.e. send() returns EMSGSIZE), the MTU
discovery algorithm is not aware of it and still behaves as if the probe
was actually sent.

This patch makes the MTU discovery algorithm recalculate and send a new
probe when this happens, so that the probe "slot" does not go to waste.
2015-01-02 09:56:50 +00:00
Etienne Dechamps
f89319f981 Fine-tune the MTU discovery multiplier for the maxmtu < MTU case.
The original multiplier constant for the MTU discovery algorithm, 0.97,
assumes a somewhat pessmistic scenario where we don't get any help from
the OS - i.e. maxmtu never changes. This can happen if IP_MTU is not
usable and the OS doesn't reject overly large packets.

However, in most systems the OS will, in fact, contribute to the MTU
discovery process. In these situations, an actual MTU equal to maxmtu
is quite likely (as opposed to the maxmtu = 1518 case where that is
highly unlikely, unless the physical network supports jumbo frames).
It therefore makes sense to use a multiplier of 1 - that will make the
first probe length equal to maxmtu.

The best results are obtained if the OS supports the getsockopt(IP_MTU)
call, and its result is accurate. In that case, tinc will typically fix
the MTU after one single probe(!), like so:

    Using system-provided maximum tinc MTU for foobar (1.2.3.4 port 655): 1442
    Sending UDP probe length 1442 to foobar (1.2.3.4 port 655)
    Got type 2 UDP probe reply 1442 from foobar (1.2.3.4 port 655)
    Fixing MTU of foobar (1.2.3.4 port 655) to 1442 after 1 probes
2015-01-02 09:55:54 +00:00
Etienne Dechamps
bce17c83e8 Add IP_MTU-based maxmtu estimation.
Linux provides a getsockopt() option, IP_MTU, to get the kernel's best
guess at a connection MTU. In practice, it seems to return the MTU of
the physical interface the socket is using.

This patch uses this option to initialize maxmtu to a better value when
MTU discovery starts.

Unfortunately, this is not supported on Windows. Winsock has options
such as SO_MAX_MSG_SIZE, SO_MAXDG and SO_MAXPATHDG but they seem useless
as they always return absurdly large values (typically, 65507), as
confirmed by http://support.microsoft.com/kb/822061/
2015-01-02 09:55:54 +00:00
Etienne Dechamps
c1532035e2 Don't send MTU probes smaller than 512 bytes.
If MTU discovery comes up with an MTU smaller than 512 bytes (e.g. due
to massive packet loss), it's pretty much guaranteed to be wrong. Even
if it's not, most Internet applications assume the MTU will be at least
512, so fixing the MTU to a small value is likely to cause trouble
anyway.

This also makes the discovery algorithm converge even faster, since the
interval it has to consider is smaller.
2015-01-02 09:55:54 +00:00
Etienne Dechamps
172cbe6771 Adjust MTU probe counts.
The recently introduced new MTU discovery algorithm converges much
faster than the previous one, which allows us to reduce the number
of probes required before we can confidently fix the MTU. This commit
reduces the number of initial discovery probes from 90 to 20. With the
new algorithm this is more than enough to get to the precise (byte-level
accuracy) MTU value; in cases of packet loss or weird MTU values for
which the algorithm is not optimized, we should get close to the actual
value, and then we rely on MTU increase detection (steady state probes)
to fine-tune it later if the need arises.

This patch also triggers MTU increase detection even if the MTU we have
is off by only one byte. Previously we only did that if it was off by at
least 8 bytes. Considering that (1) this should happen less often,
(2) restarting MTU discovery is cheaper than before and (3) having MTUs
that are subtly off from their intended values by just a few bytes
sounds like trouble, this sounds like a good idea.
2015-01-02 09:55:54 +00:00
Etienne Dechamps
24d28adf64 Use a smarter algorithm for choosing MTU discovery probe sizes.
Currently, tinc uses a naive algorithm for choosing MTU discovery probe
sizes, picking a size at random between minmtu and maxmtu.

This is of course suboptimal - since the behavior of probes is
deterministic (assuming no packet loss), it seems likely that using a
non-deterministic discovery algorithm will not yield the best results.
Furthermore, the randomness introduces a lot of variation in convergence
times.

The random solution also suffers from pathological cases - since it's
using a uniform distribution, it doesn't take into account the fact that
it's often more interesting to send small probes rather than large ones,
because getting replies is the only way we can make progress (assuming
the worst case scenario in which the OS doesn't know anything, therefore
keeping maxmtu constant). This can lead to absurd situations where the
discovery algorithm is close to the real MTU, but can't get to it
because the random number generator keeps generating numbers that are
past it.

The algorithm implemented in this patch aims to improve on the naive
random algorithm. It is organized around "cycles" of 8 probes; the sizes
of the probes decrease as we go through the cycle, thus making sure the
algorithm can cover lots of ground quickly (in case we're far from
actual MTU), but also examining the local area (in case we're close to
actual MTU). Using cycles ensures that the algorithm will "go back" to
large probes to better cover the new interval and to protect against
packet loss.

For the probe size itself, various mathematical models were simulated in
an attempt to find the one that converges the fastest; it has been
determined that using an exponential based on the size of the remaining
interval was the most effective option. The exponential is adjusted with
a magic multiplier fine-tuned to make tinc jump to the "most
interesting" (i.e. 1400+) section as soon as discovery starts.

Simulations indicate that assuming no packet loss and no help from the
OS (i.e. maxmtu stays constant), this algorithm will typically converge
to the *exact* MTU value in less than 10 probes, and will get within 8
bytes in less than 5 probes, for actual MTUs between 1417 and ~1450
(which is the range the algorithm is fine-tuned for). In contrast, the
previous algorithm gives results all over the place, sometimes taking
30+ probes to get in the ballpark. Because of the issues with the
distribution, the previous algorithm sometimes never gets to the precise
MTU value within any reasonable amount of time - in contrast, the new
algorithm will always get to the precise value in less than 30 probes,
even if the actual MTU is completely outside the optimized range.
2015-01-02 09:55:52 +00:00
Etienne Dechamps
c22560ae32 Remove bandwidth estimation code.
tinc bandwidth estimation has always been quite unreliable (at least in
my experience), but there's no chance of it working anymore since the
last changes to MTU discovery code, because packets are not sent in
batches of three anymore.

This commit removes the dead code - fortunately, nothing depends on this
estimation (it's not even shown in node info). We probably need be
smarter about this if we do want this estimation back.
2015-01-02 09:55:09 +00:00
Etienne Dechamps
1b972f2273 Send one MTU probe at a time.
Currently, tinc sends MTU probes in batches of three every second. This
commit changes that to send one packet every 333 milliseconds instead.

This change brings two benefits:

 - It makes MTU probing faster, because MTU probe lengths are calculated
   based on minmtu, and minmtu is adjusted based on the replies. When
   sending batches of three packets, all three packets are based on the
   same minmtu estimation; in contrast, by sending one packet more
   frequently, each subsequent packet can benefit from the replies that
   have been received since the last packet was sent. As a result, MTU
   discovery converges much faster (2-3 times as fast, typically).

 - It reduces network spikiness - it's more network-friendly to send
   one packet from time to time as opposed to sending bursts.
2015-01-02 09:55:08 +00:00
Etienne Dechamps
5bdc1f2b82 Use -1 to identify the post-initial MTU discovery state.
This is a minor cosmetic nit to emphasise the distinction between the
initial MTU discovery phase, and the post-initial phase (i.e. maxmtu
checking).

Furthermore, this is an improvement with regard to the DRY (Don't
Repeat Yourself) principle, as the maximum mtuprobes value is only
written once.
2015-01-02 09:54:18 +00:00
Etienne Dechamps
df6f678957 Fix MTU as soon as possible.
If a probe reply is received that makes minmtu equal to maxmtu, we
have to wait until try_mtu() runs to realize that. Since try_mtu()
runs after a packet is sent, this means there is at least one packet
(possibly more, depending on timing) that won't benefit from the
fixed MTU. This also happens when maxmtu is updated from the send()
path.

This commit fixes that by making sure we check whether the MTU can be
fixed every time minmtu or maxmtu is touched.
2015-01-02 09:54:03 +00:00