Import Upstream version 1.0.13

This commit is contained in:
Guus Sliepen 2019-08-26 13:44:40 +02:00
parent c54d214bf2
commit 3f0ae998e8
34 changed files with 861 additions and 375 deletions

178
ChangeLog
View file

@ -1,3 +1,181 @@
commit 26b8cf8680ae68443dccac2adbc2361caafc3712
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Apr 11 20:40:20 2010 +0200
Releasing 1.0.13.
commit 74653beb5bc510e60579058ee15c0f66350f5137
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Apr 11 19:47:44 2010 +0200
Mark Forwarding and DirectOnly options as being experimental.
commit 0ddce6370d39eff162bd212a6e47fe3a8e96a09e
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Apr 11 19:39:31 2010 +0200
Don't redefine MAX if it already exists.
commit a9bbb3357a89e27185312fbce0ee134eda4eda90
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Apr 11 19:20:02 2010 +0200
Fixes for definitions under Windows.
commit 4708f2c89edea4be2562256544cf35309cf1ea89
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Apr 11 18:34:50 2010 +0200
Ensure subnet-up/down scripts are called after HUP when necessary.
commit 32f5524c4b52a2d3a96bc48ee2437f8b9b4dbe10
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Apr 11 04:35:16 2010 +0200
Fix reloading Subnets when StrictSubnets is set.
commit 9f53ab209d8a6a7622a49ed03cef735b6e3f3eeb
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Apr 11 00:50:42 2010 +0200
Reload Subnets when getting a HUP signal and StrictSubnets is used.
commit d1cc637470edaed663e694fdeb290eb45cc9ecca
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sat Apr 10 23:55:15 2010 +0200
Ensure ICMP_NET_ANO is defined.
commit f75e71bc693847af71f61fb72cd788e3e47f9bd3
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sat Apr 3 09:46:45 2010 +0100
Convert Port to numeric form before sending it to other nodes.
If one uses a symbolic name for the Port option, tinc will send that name
literally to other nodes. However, it is not guaranteed that all nodes have
the same contents in /etc/services, or have such a file at all.
commit 292354912f346fe467f557f0dc026b519997289c
Author: Sven-Haegar Koch <haegar@ccc.de>
Date: Wed Mar 10 02:50:51 2010 +0100
Never delete Subnets when StrictSubnets is set
If a node is unreachable, and not connected to an edge anymore, it gets
deleted. When this happens its subnets are also removed, which should
not happen with StrictSubnets=yes.
Solution:
- do not remove subnets in src/net.c::purge(), we know that all subnets
in the list came from our hosts files.
I think here you got the check wrong by looking at the tunnelserver
code below it - with strictsubnets we still inform others but do not
remove the subnet from our data.
- do not remove nodes in net.c::purge() that still have subnets
attached.
commit 146760bd35b351d58e817ce0e67f5c6f74750cd4
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Wed Mar 10 16:07:01 2010 +0100
Fix typo.
commit f2346771cf5b22092dd3f5af3674008aa1e878d1
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Mon Mar 8 21:44:32 2010 +0100
Log unauthorized Subnets when StrictSubnets is set.
commit ee64b8ef33b709fabfc1ed56762d5f52fc026e52
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Mon Mar 8 17:54:57 2010 +0100
ConnectTo does not mean tinc does not listen for incoming connections anymore.
commit 8ae54dc7c782bcc4b771ec0766fcf9eee115756e
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Tue Mar 2 23:27:50 2010 +0100
Fixes for the Forwarding option.
commit 3e4829e78a3c7f7e19017d05611e5b69d5268119
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Tue Mar 2 22:55:24 2010 +0100
Add the DirectOnly option.
When this option is enabled, packets that cannot be sent directly to the destination node,
but which would have to be forwarded by an intermediate node, are dropped instead.
When combined with the IndirectData option,
packets for nodes for which we do not have a meta connection with are also dropped.
commit 95a6974de173e0cb78611c6704ed09631d510dae
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Tue Mar 2 22:34:26 2010 +0100
Add the Forwarding option.
This determines if and how incoming packets that are not meant for the local
node are forwarded. It can either be off, internal (tinc forwards them itself,
as in previous versions), or kernel (packets are always sent to the TUN/TAP
device, letting the kernel sort them out).
commit 5038964032ef55913b2d4741c67bf191b2208abb
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Tue Mar 2 00:18:44 2010 +0100
Add the StrictSubnets option.
When this option is enabled, tinc will not accept dynamic updates of Subnets
from other nodes, but will only use Subnets read from local host config files
to build its routing table.
commit 9fed0ec34b9208611a7e96a595f23fa04e60a5c0
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Mon Mar 1 23:44:56 2010 +0100
Preload all Subnets in TunnelServer mode.
This simplifies the logic in protocol_subnet.c.
commit d47ab576a25d91600acf7eecf376ed026bdc9c83
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Mon Mar 1 23:44:46 2010 +0100
Check for dirent.h.
commit 21f33b638291c2ffe7156e6c1e0df339f855d831
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Mon Mar 1 23:35:02 2010 +0100
Simplify reading lines from configuration files.
Instead of allocating storage for each line read, we now read into fixed-size
buffers on the stack. This fixes a case where a malformed configuration file
could crash tinc.
commit 3cb91d75f874e3398c35cd4280c1e0a1ceeedabc
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Feb 28 18:20:13 2010 +0100
Clamp MSS to miminum MTU in both directions.
Clamp MSS of both incoming and outgoing packets, and use the minimum of the
PMTU of both directions when clamping.
commit ddb8cb0779ed36d17ce186dd0bf67e9f0c860d28
Author: Timothy Redaelli <timothy@redaelli.eu>
Date: Wed Feb 10 14:52:15 2010 +0100
Add --disable-zlib configure option
commit eeb505af36ba9496ad29b32cd0917afb8c6cd355
Author: Timothy Redaelli <timothy@redaelli.eu>
Date: Wed Feb 10 13:24:33 2010 +0100
Add --disable-lzo configure option
commit f7b2a2ea43fca323f543e152e6a43a29a4eb6671
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Wed Feb 3 22:49:48 2010 +0100

12
NEWS
View file

@ -1,3 +1,15 @@
Version 1.0.13 Apr 11 2010
* Allow building tinc without LZO and/or Zlib.
* Clamp MSS of TCP packets in both directions.
* Experimental StrictSubnets, Forwarding and DirectOnly options,
giving more control over information and packets received from/sent to other
nodes.
* Ensure tinc never sends symbolic names for ports over the wire.
Version 1.0.12 Feb 3 2010
* Really allow fast roaming of hosts to other nodes in a switched VPN.

4
README
View file

@ -1,4 +1,4 @@
This is the README file for tinc version 1.0.12. Installation
This is the README file for tinc version 1.0.13. Installation
instructions may be found in the INSTALL file.
tinc is Copyright (C) 1998-2010 by:
@ -55,7 +55,7 @@ should be changed into "Device", and "Device" should be changed into
Compatibility
-------------
Version 1.0.12 is compatible with 1.0pre8, 1.0 and later, but not with older
Version 1.0.13 is compatible with 1.0pre8, 1.0 and later, but not with older
versions of tinc.

1
THANKS
View file

@ -34,6 +34,7 @@ We would like to thank the following people for their contributions to tinc:
* Scott Lamb
* Sven-Haegar Koch
* Teemu Kiviniemi
* Timothy Redaelli
* Tonnerre Lombard
* Wessel Dankers
* Wouter van Heyst

149
config.guess vendored
View file

@ -1,10 +1,10 @@
#! /bin/sh
# Attempt to guess a canonical system name.
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
# Free Software Foundation, Inc.
timestamp='2009-06-10'
timestamp='2009-12-30'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
@ -27,16 +27,16 @@ timestamp='2009-06-10'
# the same distribution terms that you use for the rest of that program.
# Originally written by Per Bothner <per@bothner.com>.
# Please send patches to <config-patches@gnu.org>. Submit a context
# diff and a properly formatted ChangeLog entry.
# Originally written by Per Bothner. Please send patches (context
# diff format) to <config-patches@gnu.org> and include a ChangeLog
# entry.
#
# This script attempts to guess a canonical system name similar to
# config.sub. If it succeeds, it prints the system name on stdout, and
# exits with 0. Otherwise, it exits with 1.
#
# The plan is that this can be called by configure scripts if you
# don't specify an explicit build system type.
# You can get the latest version of this script from:
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
me=`echo "$0" | sed -e 's,.*/,,'`
@ -56,8 +56,9 @@ version="\
GNU config.guess ($timestamp)
Originally written by Per Bothner.
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -333,6 +334,9 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
exit ;;
i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*)
echo i386-pc-auroraux${UNAME_RELEASE}
exit ;;
i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
eval $set_cc_for_build
SUN_ARCH="i386"
@ -807,12 +811,12 @@ EOF
i*:PW*:*)
echo ${UNAME_MACHINE}-pc-pw32
exit ;;
*:Interix*:[3456]*)
*:Interix*:*)
case ${UNAME_MACHINE} in
x86)
echo i586-pc-interix${UNAME_RELEASE}
exit ;;
EM64T | authenticamd | genuineintel)
authenticamd | genuineintel | EM64T)
echo x86_64-unknown-interix${UNAME_RELEASE}
exit ;;
IA64)
@ -854,6 +858,20 @@ EOF
i*86:Minix:*:*)
echo ${UNAME_MACHINE}-pc-minix
exit ;;
alpha:Linux:*:*)
case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
EV5) UNAME_MACHINE=alphaev5 ;;
EV56) UNAME_MACHINE=alphaev56 ;;
PCA56) UNAME_MACHINE=alphapca56 ;;
PCA57) UNAME_MACHINE=alphapca56 ;;
EV6) UNAME_MACHINE=alphaev6 ;;
EV67) UNAME_MACHINE=alphaev67 ;;
EV68*) UNAME_MACHINE=alphaev68 ;;
esac
objdump --private-headers /bin/sh | grep -q ld.so.1
if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
exit ;;
arm*:Linux:*:*)
eval $set_cc_for_build
if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
@ -876,6 +894,17 @@ EOF
frv:Linux:*:*)
echo frv-unknown-linux-gnu
exit ;;
i*86:Linux:*:*)
LIBC=gnu
eval $set_cc_for_build
sed 's/^ //' << EOF >$dummy.c
#ifdef __dietlibc__
LIBC=dietlibc
#endif
EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'`
echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
exit ;;
ia64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
exit ;;
@ -901,39 +930,18 @@ EOF
#endif
#endif
EOF
eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
/^CPU/{
s: ::g
p
}'`"
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
;;
or32:Linux:*:*)
echo or32-unknown-linux-gnu
exit ;;
ppc:Linux:*:*)
echo powerpc-unknown-linux-gnu
exit ;;
ppc64:Linux:*:*)
echo powerpc64-unknown-linux-gnu
exit ;;
alpha:Linux:*:*)
case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
EV5) UNAME_MACHINE=alphaev5 ;;
EV56) UNAME_MACHINE=alphaev56 ;;
PCA56) UNAME_MACHINE=alphapca56 ;;
PCA57) UNAME_MACHINE=alphapca56 ;;
EV6) UNAME_MACHINE=alphaev6 ;;
EV67) UNAME_MACHINE=alphaev67 ;;
EV68*) UNAME_MACHINE=alphaev68 ;;
esac
objdump --private-headers /bin/sh | grep -q ld.so.1
if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
exit ;;
padre:Linux:*:*)
echo sparc-unknown-linux-gnu
exit ;;
parisc64:Linux:*:* | hppa64:Linux:*:*)
echo hppa64-unknown-linux-gnu
exit ;;
parisc:Linux:*:* | hppa:Linux:*:*)
# Look for CPU level
case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
@ -942,8 +950,11 @@ EOF
*) echo hppa-unknown-linux-gnu ;;
esac
exit ;;
parisc64:Linux:*:* | hppa64:Linux:*:*)
echo hppa64-unknown-linux-gnu
ppc64:Linux:*:*)
echo powerpc64-unknown-linux-gnu
exit ;;
ppc:Linux:*:*)
echo powerpc-unknown-linux-gnu
exit ;;
s390:Linux:*:* | s390x:Linux:*:*)
echo ${UNAME_MACHINE}-ibm-linux
@ -966,58 +977,6 @@ EOF
xtensa*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
exit ;;
i*86:Linux:*:*)
# The BFD linker knows what the default object file format is, so
# first see if it will tell us. cd to the root directory to prevent
# problems with other programs or directories called `ld' in the path.
# Set LC_ALL=C to ensure ld outputs messages in English.
ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
| sed -ne '/supported targets:/!d
s/[ ][ ]*/ /g
s/.*supported targets: *//
s/ .*//
p'`
case "$ld_supported_targets" in
elf32-i386)
TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
;;
esac
# Determine whether the default compiler is a.out or elf
eval $set_cc_for_build
sed 's/^ //' << EOF >$dummy.c
#include <features.h>
#ifdef __ELF__
# ifdef __GLIBC__
# if __GLIBC__ >= 2
LIBC=gnu
# else
LIBC=gnulibc1
# endif
# else
LIBC=gnulibc1
# endif
#else
#if defined(__INTEL_COMPILER) || defined(__PGI) || defined(__SUNPRO_C) || defined(__SUNPRO_CC)
LIBC=gnu
#else
LIBC=gnuaout
#endif
#endif
#ifdef __dietlibc__
LIBC=dietlibc
#endif
EOF
eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
/^LIBC/{
s: ::g
p
}'`"
test x"${LIBC}" != x && {
echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
exit
}
test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; }
;;
i*86:DYNIX/ptx:4*:*)
# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
# earlier versions are messed up and put the nodename in both
@ -1247,6 +1206,16 @@ EOF
*:Darwin:*:*)
UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
case $UNAME_PROCESSOR in
i386)
eval $set_cc_for_build
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
UNAME_PROCESSOR="x86_64"
fi
fi ;;
unknown) UNAME_PROCESSOR=powerpc ;;
esac
echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}

View file

@ -55,6 +55,9 @@
don't. */
#undef HAVE_DECL_GETNAMEINFO
/* Define to 1 if you have the <dirent.h> header file. */
#undef HAVE_DIRENT_H
/* Define to 1 if you have the `EVP_EncryptInit_ex' function. */
#undef HAVE_EVP_ENCRYPTINIT_EX
@ -94,6 +97,9 @@
/* Define to 1 if you have the <linux/if_tun.h> header file. */
#undef HAVE_LINUX_IF_TUN_H
/* enable lzo compression support */
#undef HAVE_LZO
/* Define to 1 if you have the <lzo1x.h> header file. */
#undef HAVE_LZO1X_H
@ -327,6 +333,9 @@
/* Define to 1 if you have the `writev' function. */
#undef HAVE_WRITEV
/* have zlib compression support */
#undef HAVE_ZLIB
/* Define to 1 if you have the <zlib.h> header file. */
#undef HAVE_ZLIB_H

47
config.sub vendored
View file

@ -1,10 +1,10 @@
#! /bin/sh
# Configuration validation subroutine script.
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
# Free Software Foundation, Inc.
timestamp='2009-06-11'
timestamp='2010-01-22'
# This file is (in principle) common to ALL GNU software.
# The presence of a machine in this file suggests that SOME GNU software
@ -32,13 +32,16 @@ timestamp='2009-06-11'
# Please send patches to <config-patches@gnu.org>. Submit a context
# diff and a properly formatted ChangeLog entry.
# diff and a properly formatted GNU ChangeLog entry.
#
# Configuration subroutine to validate and canonicalize a configuration type.
# Supply the specified configuration type as an argument.
# If it is invalid, we print an error message on stderr and exit with code 1.
# Otherwise, we print the canonical config type on stdout and succeed.
# You can get the latest version of this script from:
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
# This file is supposed to be the same for all GNU packages
# and recognize all the CPU types, system types and aliases
# that are meaningful with *any* GNU software.
@ -72,8 +75,9 @@ Report bugs and patches to <config-patches@gnu.org>."
version="\
GNU config.sub ($timestamp)
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -149,7 +153,7 @@ case $os in
-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-apple | -axis | -knuth | -cray)
-apple | -axis | -knuth | -cray | -microblaze)
os=
basic_machine=$1
;;
@ -284,6 +288,7 @@ case $basic_machine in
| pdp10 | pdp11 | pj | pjl \
| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
| pyramid \
| rx \
| score \
| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
| sh64 | sh64le \
@ -291,13 +296,14 @@ case $basic_machine in
| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
| spu | strongarm \
| tahoe | thumb | tic4x | tic80 | tron \
| ubicom32 \
| v850 | v850e \
| we32k \
| x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
| z8k | z80)
basic_machine=$basic_machine-unknown
;;
m6811 | m68hc11 | m6812 | m68hc12)
m6811 | m68hc11 | m6812 | m68hc12 | picochip)
# Motorola 68HC11/12.
basic_machine=$basic_machine-unknown
os=-none
@ -340,7 +346,7 @@ case $basic_machine in
| lm32-* \
| m32c-* | m32r-* | m32rle-* \
| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
| m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
| m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \
| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
| mips16-* \
| mips64-* | mips64el-* \
@ -368,15 +374,17 @@ case $basic_machine in
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
| pyramid-* \
| romp-* | rs6000-* \
| romp-* | rs6000-* | rx-* \
| sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
| sparclite-* \
| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \
| tahoe-* | thumb-* \
| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* | tile-* \
| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
| tile-* | tilegx-* \
| tron-* \
| ubicom32-* \
| v850-* | v850e-* | vax-* \
| we32k-* \
| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
@ -726,6 +734,9 @@ case $basic_machine in
basic_machine=ns32k-utek
os=-sysv
;;
microblaze)
basic_machine=microblaze-xilinx
;;
mingw32)
basic_machine=i386-pc
os=-mingw32
@ -1076,6 +1087,11 @@ case $basic_machine in
basic_machine=tic6x-unknown
os=-coff
;;
# This must be matched before tile*.
tilegx*)
basic_machine=tilegx-unknown
os=-linux-gnu
;;
tile*)
basic_machine=tile-unknown
os=-linux-gnu
@ -1247,6 +1263,9 @@ case $os in
# First match some system type aliases
# that might get confused with valid system types.
# -solaris* is a basic system type, with this one exception.
-auroraux)
os=-auroraux
;;
-solaris1 | -solaris1.*)
os=`echo $os | sed -e 's|solaris1|sunos4|'`
;;
@ -1268,8 +1287,8 @@ case $os in
# -sysv* is not here because it comes later, after sysvr4.
-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
| -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\
| -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
| -kopensolaris* \
| -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \
| -sym* | -kopensolaris* \
| -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
| -aos* | -aros* \
| -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
@ -1290,7 +1309,7 @@ case $os in
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
| -skyos* | -haiku* | -rdos* | -toppers* | -drops*)
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*)
# Remember, each alternative MUST END IN *, to match a version number.
;;
-qnx*)
@ -1423,6 +1442,8 @@ case $os in
-dicos*)
os=-dicos
;;
-nacl*)
;;
-none)
;;
*)

32
configure vendored
View file

@ -702,9 +702,11 @@ with_windows2000
with_openssl
with_openssl_include
with_openssl_lib
enable_zlib
with_zlib
with_zlib_include
with_zlib_lib
enable_lzo
with_lzo
with_lzo_include
with_lzo_lib
@ -1341,6 +1343,8 @@ Optional Features:
--disable-dependency-tracking speeds up one-time build
--enable-dependency-tracking do not reject slow dependency extractors
--enable-tunemu enable support for the tunemu driver
--disable-zlib disable zlib compression support
--disable-lzo disable lzo compression support
--enable-jumbograms enable support for jumbograms (packets up to 9000
bytes)
@ -2704,7 +2708,7 @@ fi
# Define the identity of the package.
PACKAGE=tinc
VERSION=1.0.12
VERSION=1.0.13
cat >>confdefs.h <<_ACEOF
@ -5001,7 +5005,7 @@ $as_echo "#define STDC_HEADERS 1" >>confdefs.h
fi
for ac_header in stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/socket.h sys/time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h
for ac_header in stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/socket.h sys/time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h dirent.h
do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@ -6347,6 +6351,16 @@ fi
# Check whether --enable-zlib was given.
if test "${enable_zlib+set}" = set; then :
enableval=$enable_zlib;
fi
if test "x$enable_zlib" != "xno"; then :
$as_echo "#define HAVE_ZLIB 1" >>confdefs.h
# Check whether --with-zlib was given.
if test "${with_zlib+set}" = set; then :
@ -6435,6 +6449,18 @@ else
fi
fi
# Check whether --enable-lzo was given.
if test "${enable_lzo+set}" = set; then :
enableval=$enable_lzo;
fi
if test "x$enable_lzo" != "xno"; then :
$as_echo "#define HAVE_LZO 1" >>confdefs.h
# Check whether --with-lzo was given.
@ -6600,6 +6626,8 @@ fi
done
fi
# Check whether --enable-jumbograms was given.
if test "${enable_jumbograms+set}" = set; then :

View file

@ -3,7 +3,7 @@ dnl Process this file with autoconf to produce a configure script.
AC_PREREQ(2.61)
AC_INIT
AC_CONFIG_SRCDIR([src/tincd.c])
AM_INIT_AUTOMAKE(tinc, 1.0.12)
AM_INIT_AUTOMAKE(tinc, 1.0.13)
AC_CONFIG_HEADERS([config.h])
AM_MAINTAINER_MODE
@ -99,7 +99,7 @@ dnl Checks for header files.
dnl We do this in multiple stages, because unlike Linux all the other operating systems really suck and don't include their own dependencies.
AC_HEADER_STDC
AC_CHECK_HEADERS([stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/socket.h sys/time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h])
AC_CHECK_HEADERS([stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/socket.h sys/time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h dirent.h])
AC_CHECK_HEADERS([net/if.h net/if_types.h linux/if_tun.h net/if_tun.h net/if_tap.h net/ethernet.h net/if_arp.h netinet/in_systm.h netinet/in.h netinet/in6.h],
[], [], [#include "have.h"]
)

Binary file not shown.

View file

@ -199,6 +199,32 @@ Tinc will expect packets read from the virtual network device
to start with an Ethernet header.
.El
.It Va DirectOnly Li = yes | no Po no Pc Bq experimental
When this option is enabled, packets that cannot be sent directly to the destination node,
but which would have to be forwarded by an intermediate node, are dropped instead.
When combined with the IndirectData option,
packets for nodes for which we do not have a meta connection with are also dropped.
.It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental
This option selects the way indirect packets are forwarded.
.Bl -tag -width indent
.It off
Incoming packets that are not meant for the local node,
but which should be forwarded to another node, are dropped.
.It internal
Incoming packets that are meant for another node are forwarded by tinc internally.
.Pp
This is the default mode, and unless you really know you need another forwarding mode, don't change it.
.It kernel
Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
and can also help debugging.
.El
.It Va GraphDumpFile Li = Ar filename Bq experimental
If this option is present,
.Nm tinc
@ -308,11 +334,18 @@ specified in the configuration file.
When this option is used the priority of the tincd process will be adjusted.
Increasing the priority may help to reduce latency and packet loss on the VPN.
.It Va TunnelServer Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will no longer forward information between other tinc daemons,
and will only allow nodes and subnets on the VPN which are present in the
.It Va StrictSubnets Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will only use Subnet statements which are
present in the host config files in the local
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
directory.
.It Va TunnelServer Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will no longer forward information between other tinc daemons,
and will only allow connections with nodes for which host config files are present in the local
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
directory.
Setting this options also implicitly sets StrictSubnets.
.El
.Sh HOST CONFIGURATION FILES

View file

@ -5,7 +5,7 @@ START-INFO-DIR-ENTRY
* tinc: (tinc). The tinc Manual.
END-INFO-DIR-ENTRY
This is the info manual for tinc version 1.0.12, a Virtual Private
This is the info manual for tinc version 1.0.13, a Virtual Private
Network daemon.
Copyright (C) 1998-2010 Ivo Timmermans, Guus Sliepen
@ -738,6 +738,33 @@ DeviceType = <tun|tunnohead|tunifhead|tap> (only supported on BSD platforms)
Set type to tap. Tinc will expect packets read from the
virtual network device to start with an Ethernet header.
DirectOnly = <yes|no> (no) [experimental]
When this option is enabled, packets that cannot be sent directly
to the destination node, but which would have to be forwarded by
an intermediate node, are dropped instead. When combined with the
IndirectData option, packets for nodes for which we do not have a
meta connection with are also dropped.
Forwarding = <off|internal|kernel> (internal) [experimental]
This option selects the way indirect packets are forwarded.
off
Incoming packets that are not meant for the local node, but
which should be forwarded to another node, are dropped.
internal
Incoming packets that are meant for another node are
forwarded by tinc internally.
This is the default mode, and unless you really know you need
another forwarding mode, don't change it.
kernel
Incoming packets are always sent to the TUN/TAP device, even
if the packets are not for the local node. This is less
efficient, but allows the kernel to apply its routing and
firewall rules on them, and can also help debugging.
GraphDumpFile = <FILENAME> [experimental]
If this option is present, tinc will dump the current network
graph to the file FILENAME every minute, unless there were no
@ -842,11 +869,17 @@ ProcessPriority = <low|normal|high>
adjusted. Increasing the priority may help to reduce latency and
packet loss on the VPN.
StrictSubnets <yes|no> (no) [experimental]
When this option is enabled tinc will only use Subnet statements
which are present in the host config files in the local
`/etc/tinc/NETNAME/hosts/' directory.
TunnelServer = <yes|no> (no) [experimental]
When this option is enabled tinc will no longer forward
information between other tinc daemons, and will only allow nodes
and subnets on the VPN which are present in the
`/etc/tinc/NETNAME/hosts/' directory.
information between other tinc daemons, and will only allow
connections with nodes for which host config files are present in
the local `/etc/tinc/NETNAME/hosts/' directory. Setting this
options also implicitly sets StrictSubnets.

@ -1200,9 +1233,9 @@ _BranchA_ would be configured like this:
Note that the IP addresses of eth0 and tap0 are the same. This is
quite possible, if you make sure that the netmasks of the interfaces
are different. It is in fact recommended to give give both real
internal network interfaces and tap interfaces the same IP address,
since that will make things a lot easier to remember and set up.
are different. It is in fact recommended to give both real internal
network interfaces and tap interfaces the same IP address, since that
will make things a lot easier to remember and set up.
For Branch B
............
@ -1220,8 +1253,8 @@ In `/etc/tinc/company/tinc-up':
ConnectTo = BranchA
Note here that the internal address (on eth0) doesn't have to be the
same as on the tap0 device. Also, ConnectTo is given so that no-one can
connect to this node.
same as on the tap0 device. Also, ConnectTo is given so that this node
will always try to connect to BranchA.
On all hosts, in `/etc/tinc/company/hosts/BranchB':
@ -2258,47 +2291,51 @@ Concept Index
(line 45)
* Digest: Host configuration variables.
(line 29)
* DirectOnly: Main configuration variables.
(line 73)
* encapsulating: The UDP tunnel. (line 30)
* encryption: Encryption of network packets.
(line 6)
* environment variables: Scripts. (line 43)
* example: Example configuration.
(line 6)
* Forwarding: Main configuration variables.
(line 80)
* frame type: The UDP tunnel. (line 6)
* GraphDumpFile: Main configuration variables.
(line 73)
(line 100)
* Hostnames: Main configuration variables.
(line 81)
(line 108)
* hub: Main configuration variables.
(line 122)
(line 149)
* ID: Authentication protocol.
(line 10)
* IndirectData: Host configuration variables.
(line 34)
* INTERFACE: Scripts. (line 58)
* Interface: Main configuration variables.
(line 91)
(line 118)
* IRC: Contact information. (line 9)
* key generation: Generating keypairs. (line 6)
* KEY_CHANGED: The meta-protocol. (line 64)
* KeyExpire: Main configuration variables.
(line 127)
(line 154)
* libraries: Libraries. (line 6)
* license: OpenSSL. (line 36)
* lzo: lzo. (line 6)
* MACExpire: Main configuration variables.
(line 133)
(line 160)
* MACLength: Host configuration variables.
(line 42)
* meta-protocol: The meta-connection. (line 18)
* META_KEY: Authentication protocol.
(line 10)
* Mode: Main configuration variables.
(line 99)
(line 126)
* multiple networks: Multiple networks. (line 6)
* NAME: Scripts. (line 52)
* Name: Main configuration variables.
(line 138)
(line 165)
* netmask: Network interfaces. (line 34)
* NETNAME: Scripts. (line 49)
* netname: Multiple networks. (line 6)
@ -2311,9 +2348,9 @@ Concept Index
(line 67)
* PING: The meta-protocol. (line 89)
* PingInterval: Main configuration variables.
(line 143)
(line 170)
* PingTimeout: Main configuration variables.
(line 147)
(line 174)
* platforms: Supported platforms. (line 6)
* PMTU: Host configuration variables.
(line 47)
@ -2324,15 +2361,15 @@ Concept Index
(line 55)
* port numbers: Other files. (line 17)
* PriorityInheritance: Main configuration variables.
(line 153)
(line 180)
* private: Virtual Private Networks.
(line 10)
* PrivateKey: Main configuration variables.
(line 158)
(line 185)
* PrivateKeyFile: Main configuration variables.
(line 164)
(line 191)
* ProcessPriority: Main configuration variables.
(line 172)
(line 199)
* PublicKey: Host configuration variables.
(line 59)
* PublicKeyFile: Host configuration variables.
@ -2343,13 +2380,15 @@ Concept Index
* REQ_KEY: The meta-protocol. (line 64)
* requirements: Libraries. (line 6)
* router: Main configuration variables.
(line 102)
(line 129)
* runtime options: Runtime options. (line 9)
* scalability: tinc. (line 19)
* scripts: Scripts. (line 6)
* server: How connections work.
(line 18)
* signals: Signals. (line 6)
* StrictSubnets: Main configuration variables.
(line 204)
* SUBNET: Scripts. (line 74)
* Subnet: Host configuration variables.
(line 74)
@ -2357,7 +2396,7 @@ Concept Index
(line 97)
* SVPN: Security. (line 11)
* switch: Main configuration variables.
(line 111)
(line 138)
* TCP: The meta-connection. (line 10)
* TCPonly: Host configuration variables.
(line 104)
@ -2371,7 +2410,7 @@ Concept Index
* tunifhead: Main configuration variables.
(line 62)
* TunnelServer: Main configuration variables.
(line 177)
(line 209)
* tunnohead: Main configuration variables.
(line 56)
* UDP <1>: Encryption of network packets.
@ -2424,34 +2463,34 @@ Node: Multiple networks21168
Node: How connections work22594
Node: Configuration files23816
Node: Main configuration variables24823
Node: Host configuration variables32865
Node: Scripts38276
Node: How to configure41046
Node: Generating keypairs42309
Node: Network interfaces42808
Node: Example configuration44656
Node: Running tinc49968
Node: Runtime options50558
Node: Signals53353
Node: Debug levels54422
Node: Solving problems55358
Node: Error messages56910
Node: Sending bug reports60923
Node: Technical information61875
Node: The connection62106
Node: The UDP tunnel62418
Node: The meta-connection65479
Node: The meta-protocol66948
Node: Security71957
Node: Authentication protocol73087
Node: Encryption of network packets78091
Node: Security issues79464
Node: Platform specific information81081
Node: Interface configuration81309
Node: Routes83208
Node: About us85124
Node: Contact information85299
Node: Authors85703
Node: Concept Index86108
Node: Host configuration variables34334
Node: Scripts39745
Node: How to configure42515
Node: Generating keypairs43778
Node: Network interfaces44277
Node: Example configuration46125
Node: Running tinc51448
Node: Runtime options52038
Node: Signals54833
Node: Debug levels55902
Node: Solving problems56838
Node: Error messages58390
Node: Sending bug reports62403
Node: Technical information63355
Node: The connection63586
Node: The UDP tunnel63898
Node: The meta-connection66959
Node: The meta-protocol68428
Node: Security73437
Node: Authentication protocol74567
Node: Encryption of network packets79571
Node: Security issues80944
Node: Platform specific information82561
Node: Interface configuration82789
Node: Routes84688
Node: About us86604
Node: Contact information86779
Node: Authors87183
Node: Concept Index87588

End Tag Table

View file

@ -818,6 +818,33 @@ Tinc will expect packets read from the virtual network device
to start with an Ethernet header.
@end table
@cindex DirectOnly
@item DirectOnly = <yes|no> (no) [experimental]
When this option is enabled, packets that cannot be sent directly to the destination node,
but which would have to be forwarded by an intermediate node, are dropped instead.
When combined with the IndirectData option,
packets for nodes for which we do not have a meta connection with are also dropped.
@cindex Forwarding
@item Forwarding = <off|internal|kernel> (internal) [experimental]
This option selects the way indirect packets are forwarded.
@table @asis
@item off
Incoming packets that are not meant for the local node,
but which should be forwarded to another node, are dropped.
@item internal
Incoming packets that are meant for another node are forwarded by tinc internally.
This is the default mode, and unless you really know you need another forwarding mode, don't change it.
@item kernel
Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
and can also help debugging.
@end table
@cindex GraphDumpFile
@item GraphDumpFile = <@var{filename}> [experimental]
If this option is present,
@ -928,11 +955,18 @@ specified in the configuration file.
When this option is used the priority of the tincd process will be adjusted.
Increasing the priority may help to reduce latency and packet loss on the VPN.
@cindex StrictSubnets
@item StrictSubnets <yes|no> (no) [experimental]
When this option is enabled tinc will only use Subnet statements which are
present in the host config files in the local
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
@cindex TunnelServer
@item TunnelServer = <yes|no> (no) [experimental]
When this option is enabled tinc will no longer forward information between other tinc daemons,
and will only allow nodes and subnets on the VPN which are present in the
and will only allow connections with nodes for which host config files are present in the local
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
Setting this options also implicitly sets StrictSubnets.
@end table
@ -1314,7 +1348,7 @@ Address = 1.2.3.4
Note that the IP addresses of eth0 and tap0 are the same.
This is quite possible, if you make sure that the netmasks of the interfaces are different.
It is in fact recommended to give give both real internal network interfaces and tap interfaces the same IP address,
It is in fact recommended to give both real internal network interfaces and tap interfaces the same IP address,
since that will make things a lot easier to remember and set up.
@ -1337,8 +1371,8 @@ ConnectTo = BranchA
@end example
Note here that the internal address (on eth0) doesn't have to be the
same as on the tap0 device. Also, ConnectTo is given so that no-one can
connect to this node.
same as on the tap0 device. Also, ConnectTo is given so that this node will
always try to connect to BranchA.
On all hosts, in @file{@value{sysconfdir}/tinc/company/hosts/BranchB}:

4
have.h
View file

@ -96,6 +96,10 @@
#include <sys/uio.h>
#endif
#ifdef HAVE_DIRENT_H
#include <dirent.h>
#endif
/* SunOS really wants sys/socket.h BEFORE net/if.h,
and FreeBSD wants these lines below the rest. */

View file

@ -45,6 +45,10 @@
#define ICMP_NET_UNREACH 0
#endif
#ifndef ICMP_NET_ANO
#define ICMP_NET_ANO 9
#endif
#ifndef IP_MSS
#define IP_MSS 576
#endif

View file

@ -95,6 +95,7 @@ struct icmp6_hdr {
#define ICMP6_DST_UNREACH_NOROUTE 0
#define ICMP6_DST_UNREACH 1
#define ICMP6_PACKET_TOO_BIG 2
#define ICMP6_DST_UNREACH_ADMIN 1
#define ICMP6_DST_UNREACH_ADDR 3
#define ND_NEIGHBOR_SOLICIT 135
#define ND_NEIGHBOR_ADVERT 136

View file

@ -2,6 +2,10 @@ dnl Check to find the lzo headers/libraries
AC_DEFUN([tinc_LZO],
[
AC_ARG_ENABLE([lzo],
AS_HELP_STRING([--disable-lzo], [disable lzo compression support]))
AS_IF([test "x$enable_lzo" != "xno"], [
AC_DEFINE(HAVE_LZO, 1, [enable lzo compression support])
AC_ARG_WITH(lzo,
AS_HELP_STRING([--with-lzo=DIR], [lzo base directory, or:]),
[lzo="$withval"
@ -39,4 +43,5 @@ AC_DEFUN([tinc_LZO],
)]
)]
)
])
])

View file

@ -2,6 +2,10 @@ dnl Check to find the zlib headers/libraries
AC_DEFUN([tinc_ZLIB],
[
AC_ARG_ENABLE([zlib],
AS_HELP_STRING([--disable-zlib], [disable zlib compression support]))
AS_IF([test "x$enable_zlib" != "xno"], [
AC_DEFINE(HAVE_ZLIB, 1, [have zlib compression support])
AC_ARG_WITH(zlib,
AS_HELP_STRING([--with-zlib=DIR], [zlib base directory, or:]),
[zlib="$withval"
@ -30,4 +34,5 @@ AC_DEFUN([tinc_ZLIB],
[LIBS="$LIBS -lz"],
[AC_MSG_ERROR("zlib libraries not found.")]
)
])
])

View file

@ -26,6 +26,7 @@
#include "conf.h"
#include "logger.h"
#include "netutl.h" /* for str2address */
#include "protocol.h"
#include "utils.h" /* for cp */
#include "xalloc.h"
@ -206,111 +207,60 @@ bool get_config_subnet(const config_t *cfg, subnet_t ** result) {
}
/*
Read exactly one line and strip the trailing newline if any. If the
file was on EOF, return NULL. Otherwise, return all the data in a
dynamically allocated buffer.
If line is non-NULL, it will be used as an initial buffer, to avoid
unnecessary mallocing each time this function is called. If buf is
given, and buf needs to be expanded, the var pointed to by buflen
will be increased.
Read exactly one line and strip the trailing newline if any.
*/
static char *readline(FILE * fp, char **buf, size_t *buflen) {
static char *readline(FILE * fp, char *buf, size_t buflen) {
char *newline = NULL;
char *p;
char *line; /* The array that contains everything that has been read so far */
char *idx; /* Read into this pointer, which points to an offset within line */
size_t size, newsize; /* The size of the current array pointed to by line */
size_t maxlen; /* Maximum number of characters that may be read with fgets. This is newsize - oldsize. */
if(feof(fp))
return NULL;
if(buf && buflen) {
size = *buflen;
line = *buf;
} else {
size = 100;
line = xmalloc(size);
}
p = fgets(buf, buflen, fp);
maxlen = size;
idx = line;
*idx = 0;
for(;;) {
errno = 0;
p = fgets(idx, maxlen, fp);
if(!p) { /* EOF or error */
if(feof(fp))
break;
/* otherwise: error; let the calling function print an error message if applicable */
free(line);
if(!p)
return NULL;
}
newline = strchr(p, '\n');
if(!newline) { /* We haven't yet read everything to the end of the line */
newsize = size << 1;
line = xrealloc(line, newsize);
idx = &line[size - 1];
maxlen = newsize - size + 1;
size = newsize;
} else {
if(!newline)
return NULL;
*newline = '\0'; /* kill newline */
if(newline > p && newline[-1] == '\r') /* and carriage return if necessary */
newline[-1] = '\0';
break; /* yay */
}
}
if(buf && buflen) {
*buflen = size;
*buf = line;
}
return line;
return buf;
}
/*
Parse a configuration file and put the results in the configuration tree
starting at *base.
*/
int read_config_file(avl_tree_t *config_tree, const char *fname) {
int err = -2; /* Parse error */
bool read_config_file(avl_tree_t *config_tree, const char *fname) {
FILE *fp;
char *buffer, *line;
char buffer[MAX_STRING_SIZE];
char *line;
char *variable, *value, *eol;
int lineno = 0;
int len;
bool ignore = false;
config_t *cfg;
size_t bufsize;
bool result = false;
fp = fopen(fname, "r");
if(!fp) {
logger(LOG_ERR, "Cannot open config file %s: %s", fname,
strerror(errno));
return -3;
logger(LOG_ERR, "Cannot open config file %s: %s", fname, strerror(errno));
return false;
}
bufsize = 100;
buffer = xmalloc(bufsize);
for(;;) {
if(feof(fp)) {
err = 0;
break;
}
line = readline(fp, &buffer, &bufsize);
line = readline(fp, buffer, sizeof buffer);
if(!line) {
err = -1;
if(feof(fp))
result = true;
break;
}
@ -361,46 +311,46 @@ int read_config_file(avl_tree_t *config_tree, const char *fname) {
config_add(config_tree, cfg);
}
free(buffer);
fclose(fp);
return err;
return result;
}
bool read_server_config() {
char *fname;
int x;
bool x;
xasprintf(&fname, "%s/tinc.conf", confbase);
x = read_config_file(config_tree, fname);
if(x == -1) { /* System error: complain */
if(!x) { /* System error: complain */
logger(LOG_ERR, "Failed to read `%s': %s", fname, strerror(errno));
}
free(fname);
return x == 0;
return x;
}
FILE *ask_and_open(const char *filename, const char *what) {
FILE *r;
char *directory;
char *fn;
char line[PATH_MAX];
const char *fn;
/* Check stdin and stdout */
if(!isatty(0) || !isatty(1)) {
/* Argh, they are running us from a script or something. Write
the files to the current directory and let them burn in hell
for ever. */
fn = xstrdup(filename);
fn = filename;
} else {
/* Ask for a file and/or directory name. */
fprintf(stdout, "Please enter a file to save %s to [%s]: ",
what, filename);
fflush(stdout);
fn = readline(stdin, NULL, NULL);
fn = readline(stdin, line, sizeof line);
if(!fn) {
fprintf(stderr, "Error while reading stdin: %s\n",
@ -410,7 +360,7 @@ FILE *ask_and_open(const char *filename, const char *what) {
if(!strlen(fn))
/* User just pressed enter. */
fn = xstrdup(filename);
fn = filename;
}
#ifdef HAVE_MINGW
@ -423,7 +373,6 @@ FILE *ask_and_open(const char *filename, const char *what) {
directory = get_current_dir_name();
xasprintf(&p, "%s/%s", directory, fn);
free(fn);
free(directory);
fn = p;
}
@ -437,12 +386,9 @@ FILE *ask_and_open(const char *filename, const char *what) {
if(!r) {
fprintf(stderr, "Error opening file `%s': %s\n",
fn, strerror(errno));
free(fn);
return NULL;
}
free(fn);
return r;
}

View file

@ -54,7 +54,7 @@ extern bool get_config_string(const config_t *, char **);
extern bool get_config_address(const config_t *, struct addrinfo **);
extern bool get_config_subnet(const config_t *, struct subnet_t **);
extern int read_config_file(avl_tree_t *, const char *);
extern bool read_config_file(avl_tree_t *, const char *);
extern bool read_server_config(void);
extern FILE *ask_and_open(const char *, const char *);
extern bool is_safe_path(const char *);

View file

@ -130,11 +130,11 @@ void dump_connections(void) {
bool read_connection_config(connection_t *c) {
char *fname;
int x;
bool x;
xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
x = read_config_file(c->config_tree, fname);
free(fname);
return x == 0;
return x;
}

View file

@ -68,8 +68,8 @@ static void purge(void) {
for(snode = n->subnet_tree->head; snode; snode = snext) {
snext = snode->next;
s = snode->data;
if(!tunnelserver)
send_del_subnet(broadcast, s);
if(!strictsubnets)
subnet_del(n, s);
}
@ -98,7 +98,8 @@ static void purge(void) {
break;
}
if(!enode)
if(!enode && (!strictsubnets || !n->subnet_tree->head))
/* in strictsubnets mode do not delete nodes with subnets */
node_del(n);
}
}
@ -488,6 +489,36 @@ int main_loop(void) {
last_config_check = now;
/* If StrictSubnet is set, expire deleted Subnets and read new ones in */
if(strictsubnets) {
subnet_t *subnet;
for(node = subnet_tree->head; node; node = node->next) {
subnet = node->data;
subnet->expires = 1;
}
load_all_subnets();
for(node = subnet_tree->head; node; node = next) {
next = node->next;
subnet = node->data;
if(subnet->expires == 1) {
send_del_subnet(broadcast, subnet);
if(subnet->owner->status.reachable)
subnet_update(subnet->owner, subnet, false);
subnet_del(subnet->owner, subnet);
} else if(subnet->expires == -1) {
subnet->expires = 0;
} else {
send_add_subnet(broadcast, subnet);
if(subnet->owner->status.reachable)
subnet_update(subnet->owner, subnet, true);
}
}
}
/* Try to make outgoing connections */
try_outgoing_connections();

View file

@ -139,6 +139,7 @@ extern void terminate_connection(struct connection_t *, bool);
extern void flush_queue(struct node_t *);
extern bool read_rsa_public_key(struct connection_t *);
extern void send_mtu_probe(struct node_t *);
extern void load_all_subnets();
#ifndef HAVE_MINGW
#define closesocket(s) close(s)

View file

@ -26,8 +26,13 @@
#include <openssl/pem.h>
#include <openssl/hmac.h>
#ifdef HAVE_ZLIB
#include <zlib.h>
#endif
#ifdef HAVE_LZO
#include LZO1X_H
#endif
#include "avl_tree.h"
#include "conf.h"
@ -48,7 +53,9 @@
int keylifetime = 0;
int keyexpires = 0;
#ifdef HAVE_LZO
static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
#endif
static void send_udppacket(node_t *, vpn_packet_t *);
@ -147,39 +154,60 @@ void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
}
static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
if(level == 10) {
if(level == 0) {
memcpy(dest, source, len);
return len;
} else if(level == 10) {
#ifdef HAVE_LZO
lzo_uint lzolen = MAXSIZE;
lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
return lzolen;
#else
return -1;
#endif
} else if(level < 10) {
#ifdef HAVE_ZLIB
unsigned long destlen = MAXSIZE;
if(compress2(dest, &destlen, source, len, level) == Z_OK)
return destlen;
else
#endif
return -1;
} else {
#ifdef HAVE_LZO
lzo_uint lzolen = MAXSIZE;
lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
return lzolen;
#else
return -1;
#endif
}
return -1;
}
static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
if(level > 9) {
if(level == 0) {
memcpy(dest, source, len);
return len;
} else if(level > 9) {
#ifdef HAVE_LZO
lzo_uint lzolen = MAXSIZE;
if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
return lzolen;
else
#endif
return -1;
} else {
}
#ifdef HAVE_ZLIB
else {
unsigned long destlen = MAXSIZE;
if(uncompress(dest, &destlen, source, len) == Z_OK)
return destlen;
else
return -1;
}
#endif
return -1;
}

View file

@ -201,6 +201,68 @@ bool read_rsa_private_key(void) {
return true;
}
/*
Read Subnets from all host config files
*/
void load_all_subnets(void) {
DIR *dir;
struct dirent *ent;
char *dname;
char *fname;
avl_tree_t *config_tree;
config_t *cfg;
subnet_t *s, *s2;
node_t *n;
bool result;
xasprintf(&dname, "%s/hosts", confbase);
dir = opendir(dname);
if(!dir) {
logger(LOG_ERR, "Could not open %s: %s", dname, strerror(errno));
free(dname);
return;
}
while((ent = readdir(dir))) {
if(!check_id(ent->d_name))
continue;
n = lookup_node(ent->d_name);
#ifdef _DIRENT_HAVE_D_TYPE
//if(ent->d_type != DT_REG)
// continue;
#endif
xasprintf(&fname, "%s/hosts/%s", confbase, ent->d_name);
init_configuration(&config_tree);
result = read_config_file(config_tree, fname);
free(fname);
if(!result)
continue;
if(!n) {
n = new_node();
n->name = xstrdup(ent->d_name);
node_add(n);
}
for(cfg = lookup_config(config_tree, "Subnet"); cfg; cfg = lookup_config_next(config_tree, cfg)) {
if(!get_config_subnet(cfg, &s))
continue;
if((s2 = lookup_subnet(n, s))) {
s2->expires = -1;
} else {
subnet_add(n, s);
}
}
exit_configuration(&config_tree);
}
closedir(dir);
}
/*
Configure node_t myself and set up the local sockets (listen only)
*/
@ -250,6 +312,16 @@ bool setup_myself(void) {
&& !get_config_string(lookup_config(myself->connection->config_tree, "Port"), &myport))
myport = xstrdup("655");
if(!atoi(myport)) {
struct addrinfo *ai = str2addrinfo("localhost", myport, SOCK_DGRAM);
sockaddr_t sa;
if(!ai || !ai->ai_addr)
return false;
free(myport);
memcpy(&sa, ai->ai_addr, ai->ai_addrlen);
sockaddr2str(&sa, NULL, &myport);
}
/* Read in all the subnets specified in the host configuration file */
cfg = lookup_config(myself->connection->config_tree, "Subnet");
@ -280,7 +352,10 @@ bool setup_myself(void) {
if(myself->options & OPTION_TCPONLY)
myself->options |= OPTION_INDIRECT;
get_config_bool(lookup_config(config_tree, "DirectOnly"), &directonly);
get_config_bool(lookup_config(config_tree, "StrictSubnets"), &strictsubnets);
get_config_bool(lookup_config(config_tree, "TunnelServer"), &tunnelserver);
strictsubnets |= tunnelserver;
if(get_config_string(lookup_config(config_tree, "Mode"), &mode)) {
if(!strcasecmp(mode, "router"))
@ -294,8 +369,21 @@ bool setup_myself(void) {
return false;
}
free(mode);
} else
routing_mode = RMODE_ROUTER;
}
if(get_config_string(lookup_config(config_tree, "Forwarding"), &mode)) {
if(!strcasecmp(mode, "off"))
forwarding_mode = FMODE_OFF;
else if(!strcasecmp(mode, "internal"))
forwarding_mode = FMODE_INTERNAL;
else if(!strcasecmp(mode, "kernel"))
forwarding_mode = FMODE_KERNEL;
else {
logger(LOG_ERR, "Invalid forwarding mode!");
return false;
}
free(mode);
}
choice = true;
get_config_bool(lookup_config(myself->connection->config_tree, "PMTUDiscovery"), &choice);
@ -426,6 +514,9 @@ bool setup_myself(void) {
graph();
if(strictsubnets)
load_all_subnets();
/* Open device */
if(!setup_device())

View file

@ -102,7 +102,9 @@ void sockaddr2str(const sockaddr_t *sa, char **addrstr, char **portstr) {
if(scopeid)
*scopeid = '\0'; /* Descope. */
if(addrstr)
*addrstr = xstrdup(address);
if(portstr)
*portstr = xstrdup(port);
}

View file

@ -29,6 +29,7 @@
#include "xalloc.h"
bool tunnelserver = false;
bool strictsubnets = false;
/* Jumptable for the request handlers */

View file

@ -53,6 +53,7 @@ typedef struct past_request_t {
} past_request_t;
extern bool tunnelserver;
extern bool strictsubnets;
/* Maximum size of strings in a request.
* scanf terminates %2048s with a NUL character,

View file

@ -497,7 +497,7 @@ static void send_everything(connection_t *c) {
bool ack_h(connection_t *c) {
char hisport[MAX_STRING_SIZE];
char *hisaddress, *dummy;
char *hisaddress;
int weight, mtu;
uint32_t options;
node_t *n;
@ -566,10 +566,9 @@ bool ack_h(connection_t *c) {
c->edge = new_edge();
c->edge->from = myself;
c->edge->to = n;
sockaddr2str(&c->address, &hisaddress, &dummy);
sockaddr2str(&c->address, &hisaddress, NULL);
c->edge->address = str2sockaddr(hisaddress, hisport);
free(hisaddress);
free(dummy);
c->edge->weight = (weight + c->estimated_weight) / 2;
c->edge->connection = c;
c->edge->options = c->options;

View file

@ -104,29 +104,21 @@ bool add_subnet_h(connection_t *c) {
return true;
}
/* In tunnel server mode, check if the subnet matches one in the config file of this node */
/* In tunnel server mode, we should already know all allowed subnets */
if(tunnelserver) {
config_t *cfg;
subnet_t *allowed;
for(cfg = lookup_config(c->config_tree, "Subnet"); cfg; cfg = lookup_config_next(c->config_tree, cfg)) {
if(!get_config_subnet(cfg, &allowed))
continue;
if(!subnet_compare(&s, allowed))
break;
free_subnet(allowed);
}
if(!cfg) {
logger(LOG_WARNING, "Ignoring unauthorized %s from %s (%s): %s",
"ADD_SUBNET", c->name, c->hostname, subnetstr);
return true;
}
free_subnet(allowed);
/* Ignore if strictsubnets is true, but forward it to others */
if(strictsubnets) {
logger(LOG_WARNING, "Ignoring unauthorized %s from %s (%s): %s",
"ADD_SUBNET", c->name, c->hostname, subnetstr);
forward_request(c);
return true;
}
/* If everything is correct, add the subnet to the list of the owner */
@ -139,7 +131,6 @@ bool add_subnet_h(connection_t *c) {
/* Tell the rest */
if(!tunnelserver)
forward_request(c);
/* Fast handoff of roaming MAC addresses */
@ -216,6 +207,8 @@ bool del_subnet_h(connection_t *c) {
if(!find) {
ifdebug(PROTOCOL) logger(LOG_WARNING, "Got %s from %s (%s) for %s which does not appear in his subnet tree",
"DEL_SUBNET", c->name, c->hostname, name);
if(strictsubnets)
forward_request(c);
return true;
}
@ -228,10 +221,14 @@ bool del_subnet_h(connection_t *c) {
return true;
}
if(tunnelserver)
return true;
/* Tell the rest */
if(!tunnelserver)
forward_request(c);
if(strictsubnets)
return true;
/* Finally, delete it. */

View file

@ -33,6 +33,8 @@
#include "utils.h"
rmode_t routing_mode = RMODE_ROUTER;
fmode_t forwarding_mode = FMODE_INTERNAL;
bool directonly = false;
bool priorityinheritance = false;
int macexpire = 600;
bool overwrite_mac = false;
@ -48,7 +50,10 @@ static const size_t ip6_size = sizeof(struct ip6_hdr);
static const size_t icmp6_size = sizeof(struct icmp6_hdr);
static const size_t ns_size = sizeof(struct nd_neighbor_solicit);
static const size_t opt_size = sizeof(struct nd_opt_hdr);
#define max(a, b) ((a) > (b) ? (a) : (b))
#ifndef MAX
#define MAX(a, b) ((a) > (b) ? (a) : (b))
#endif
/* RFC 1071 */
@ -94,9 +99,13 @@ static bool checklength(node_t *source, vpn_packet_t *packet, length_t length) {
}
static void clamp_mss(const node_t *source, const node_t *via, vpn_packet_t *packet) {
if(!via || via == myself || !(via->options & OPTION_CLAMP_MSS))
if(!source || !via || !(via->options & OPTION_CLAMP_MSS))
return;
uint16_t mtu = source->mtu;
if(via != myself && via->mtu < mtu)
mtu = via->mtu;
/* Find TCP header */
int start = 0;
uint16_t type = packet->data[12] << 8 | packet->data[13];
@ -140,7 +149,7 @@ static void clamp_mss(const node_t *source, const node_t *via, vpn_packet_t *pac
/* Found it */
uint16_t oldmss = packet->data[start + 22 + i] << 8 | packet->data[start + 23 + i];
uint16_t newmss = via->mtu - start - 20;
uint16_t newmss = mtu - start - 20;
uint16_t csum = packet->data[start + 16] << 8 | packet->data[start + 17];
if(oldmss <= newmss)
@ -379,17 +388,23 @@ static void route_ipv4_unicast(node_t *source, vpn_packet_t *packet) {
}
if(!subnet->owner->status.reachable)
route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_UNREACH);
return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_UNREACH);
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_ANO);
if(priorityinheritance)
packet->priority = packet->data[15];
via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
if(via && packet->len > max(via->mtu, 590) && via != myself) {
if(directonly && subnet->owner != via)
return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_ANO);
if(via && packet->len > MAX(via->mtu, 590) && via != myself) {
ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
if(packet->data[20] & 0x40) {
packet->len = max(via->mtu, 590);
packet->len = MAX(via->mtu, 590);
route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
} else {
fragment_ipv4_packet(via, packet);
@ -527,13 +542,19 @@ static void route_ipv6_unicast(node_t *source, vpn_packet_t *packet) {
}
if(!subnet->owner->status.reachable)
route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE);
return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE);
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
if(via && packet->len > max(via->mtu, 1294) && via != myself) {
if(directonly && subnet->owner != via)
return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
if(via && packet->len > MAX(via->mtu, 1294) && via != myself) {
ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
packet->len = max(via->mtu, 1294);
packet->len = MAX(via->mtu, 1294);
route_ipv6_unreachable(source, packet, ICMP6_PACKET_TOO_BIG, 0);
return;
}
@ -792,10 +813,16 @@ static void route_mac(node_t *source, vpn_packet_t *packet) {
return;
}
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
return;
// Handle packets larger than PMTU
node_t *via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
if(directonly && subnet->owner != via)
return;
if(via && packet->len > via->mtu && via != myself) {
ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
uint16_t type = packet->data[12] << 8 | packet->data[13];
@ -820,6 +847,11 @@ static void route_mac(node_t *source, vpn_packet_t *packet) {
}
void route(node_t *source, vpn_packet_t *packet) {
if(forwarding_mode == FMODE_KERNEL && source != myself) {
send_packet(myself, packet);
return;
}
if(!checklength(source, packet, ether_size))
return;

View file

@ -30,7 +30,15 @@ typedef enum rmode_t {
RMODE_ROUTER,
} rmode_t;
typedef enum fmode_t {
FMODE_OFF = 0,
FMODE_INTERNAL,
FMODE_KERNEL,
} fmode_t;
extern rmode_t routing_mode;
extern fmode_t forwarding_mode;
extern bool directonly;
extern bool overwrite_mac;
extern bool priorityinheritance;
extern int macexpire;

View file

@ -64,6 +64,8 @@ typedef struct subnet_t {
#define MAXNETSTR 64
extern avl_tree_t *subnet_tree;
extern int subnet_compare(const struct subnet_t *, const struct subnet_t *);
extern subnet_t *new_subnet(void) __attribute__ ((__malloc__));
extern void free_subnet(subnet_t *);

View file

@ -37,7 +37,9 @@
#include <openssl/evp.h>
#include <openssl/engine.h>
#ifdef HAVE_LZO
#include LZO1X_H
#endif
#ifndef HAVE_MINGW
#include <pwd.h>
@ -540,10 +542,12 @@ int main(int argc, char **argv) {
if(!read_server_config())
return 1;
#ifdef HAVE_LZO
if(lzo_init() != LZO_E_OK) {
logger(LOG_ERR, "Error initializing LZO compressor!");
return 1;
}
#endif
#ifdef HAVE_MINGW
if(WSAStartup(MAKEWORD(2, 2), &wsa_state)) {