Add UDP discovery mechanism.

This adds a new mechanism by which tinc can determine if a node is
reachable via UDP. The new mechanism is currently redundant with the
PMTU discovery mechanism - that will be fixed in a future commit.

Conceptually, the UDP discovery mechanism works similarly to PMTU
discovery: it sends UDP probes (of minmtu size, to make sure the tunnel
is fully usable), and assumes UDP is usable if it gets replies. It
assumes UDP is broken if too much time has passed since the last reply.

The big difference with the current PMTU discovery mechanism, however,
is that UDP discovery probes are only triggered as part of the
packet TX path (through try_tx()). This is quite interesting, because
it means tinc will never send UDP pings more often than normal packets,
and most importantly, it will automatically stop sending pings as soon
as packets stop flowing, thereby nicely reducing network chatter.

Of course, there are small drawbacks in some edge cases: for example,
if a node only sends one packet every minute to another node, these
packets will only be sent over TCP, because the interval between packets
is too long for tinc to maintain the UDP tunnel. I consider this a
feature, not a bug: I believe it is appropriate to use TCP in scenarios
where traffic is negligible, so that we don't pollute the network with
pings just to maintain a UDP tunnel that's seeing negligible usage.

diff --git a/bash_completion.d/tinc b/bash_completion.d/tinc
index 240326f90dc6ff8bbe1ba8eed1340028b95b0298..b5784e17f632ca62e4b69f38c82e0b8b0252e7fe 100644 (file)
--- a/bash_completion.d/tinc
+++ b/bash_completion.d/tinc
@@ -4,7 +4,7 @@ _tinc() {
        cur="${COMP_WORDS[COMP_CWORD]}"
        prev="${COMP_WORDS[COMP_CWORD-1]}"
        opts="-c -d -D -K -n -o -L -R -U --config --no-detach --debug --net --option --mlock --logfile --pidfile --chroot --user --help --version"
-       confvars="Address AddressFamily BindToAddress BindToInterface Broadcast BroadcastSubnet Cipher ClampMSS Compression ConnectTo DecrementTTL Device DeviceStandby DeviceType Digest DirectOnly Ed25519PrivateKeyFile Ed25519PublicKey Ed25519PublicKeyFile ExperimentalProtocol Forwarding GraphDumpFile Hostnames IffOneQueue IndirectData Interface KeyExpire ListenAddress LocalDiscovery MACExpire MACLength MaxOutputBufferSize MaxTimeout Mode Name PMTU PMTUDiscovery PingInterval PingTimeout Port PriorityInheritance PrivateKeyFile ProcessPriority Proxy PublicKeyFile ReplayWindow StrictSubnets Subnet TCPOnly TunnelServer UDPRcvBuf UDPSndBuf VDEGroup VDEPort Weight"
+       confvars="Address AddressFamily BindToAddress BindToInterface Broadcast BroadcastSubnet Cipher ClampMSS Compression ConnectTo DecrementTTL Device DeviceStandby DeviceType Digest DirectOnly Ed25519PrivateKeyFile Ed25519PublicKey Ed25519PublicKeyFile ExperimentalProtocol Forwarding GraphDumpFile Hostnames IffOneQueue IndirectData Interface KeyExpire ListenAddress LocalDiscovery MACExpire MACLength MaxOutputBufferSize MaxTimeout Mode Name PMTU PMTUDiscovery PingInterval PingTimeout Port PriorityInheritance PrivateKeyFile ProcessPriority Proxy PublicKeyFile ReplayWindow StrictSubnets Subnet TCPOnly TunnelServer UDPDiscovery UDPDiscoveryInterval UDPDiscoveryTimeout UDPRcvBuf UDPSndBuf VDEGroup VDEPort Weight"
        commands="add connect debug del disconnect dump edit export export-all generate-ed25519-keys generate-keys generate-rsa-keys get help import info init invite join log network pcap pid purge reload restart retry set start stop top version"
 
        case ${prev} in

diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in
index 9d9bf76f7d04440118cb8fcb1b9396bcca91201e..48c3df508d3d5120d2351d342c4a7e3a101d2a03 100644 (file)
--- a/doc/tinc.conf.5.in
+++ b/doc/tinc.conf.5.in
@@ -485,6 +485,18 @@ and will only allow connections with nodes for which host config files are prese
 .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
 directory.
 Setting this options also implicitly sets StrictSubnets.
+.It Va UDPDiscovery Li = yes | no Po yes Pc
+When this option is enabled tinc will try to establish UDP connectivity to nodes,
+using TCP while it determines if a node is reachable over UDP. If it is disabled,
+tinc always assumes a node is reachable over UDP.
+Note that tinc will never use UDP with nodes that have
+.Va TCPOnly
+enabled.
+.It Va UDPDiscoveryInterval Li = Ar seconds Pq 9
+The minimum amount of time between sending UDP ping datagrams to test UDP connectivity.
+.It Va UDPDiscoveryTimeout Li = Ar seconds Pq 30
+If tinc doesn't receive any UDP ping replies over the specified interval,
+it will assume UDP communication is broken and will fall back to TCP.
 .It Va UDPRcvBuf Li = Ar bytes Pq OS default
 Sets the socket receive buffer size for the UDP socket, in bytes.
 If unset, the default buffer size will be used by the operating system.

diff --git a/doc/tinc.texi b/doc/tinc.texi
index 2cb55a79f1a106c4a81cec6c826257fde2a6f34d..c940eddb48816ef126bb1f72e55a7b8f638e41b0 100644 (file)
--- a/doc/tinc.texi
+++ b/doc/tinc.texi
@@ -1232,6 +1232,22 @@ and will only allow connections with nodes for which host config files are prese
 @file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
 Setting this options also implicitly sets StrictSubnets.
 
+@cindex UDPDiscovey
+@item UDPDiscovery = <yes|no> (yes)
+When this option is enabled tinc will try to establish UDP connectivity to nodes,
+using TCP while it determines if a node is reachable over UDP. If it is disabled,
+tinc always assumes a node is reachable over UDP.
+Note that tinc will never use UDP with nodes that have TCPOnly enabled.
+
+@cindex UDPDiscoveryInterval
+@item UDPDiscoveryInterval = <seconds> (9)
+The minimum amount of time between sending UDP ping datagrams to test UDP connectivity.
+
+@cindex UDPDiscoveryTimeout
+@item UDPDiscoveryTimeout = <seconds> (30)
+If tinc doesn't receive any UDP ping replies over the specified interval,
+it will assume UDP communication is broken and will fall back to TCP.
+
 @cindex UDPRcvBuf
 @item UDPRcvBuf = <bytes> (OS default)
 Sets the socket receive buffer size for the UDP socket, in bytes.

diff --git a/src/graph.c b/src/graph.c
index 70d65731d1b78d886a100cfff7cc29bf5f980802..c0a5d0a60575c7fe52a6707fef939fce28dd3114 100644 (file)
--- a/src/graph.c
+++ b/src/graph.c
@@ -241,6 +241,7 @@ static void check_reachability(void) {
                        n->minmtu = 0;
                        n->mtuprobes = 0;
 
+                       timeout_del(&n->udp_ping_timeout);
                        timeout_del(&n->mtutimeout);
 
                        char *name;

diff --git a/src/net.h b/src/net.h
index dcc99a4a6055c44d6f33bf016f30958432f90e64..35e8799774cbd0b68f02fa12327971f60a0bf5e7 100644 (file)
--- a/src/net.h
+++ b/src/net.h
@@ -138,6 +138,10 @@ extern int addressfamily;
 extern unsigned replaywin;
 extern bool localdiscovery;
 
+extern bool udp_discovery;
+extern int udp_discovery_interval;
+extern int udp_discovery_timeout;
+
 extern listen_socket_t listen_socket[MAXSOCKETS];
 extern int listen_sockets;
 extern io_t unix_socket;

diff --git a/src/net_packet.c b/src/net_packet.c
index 51237d200e2666eb9f0532f4ba5c3d27ab6a1a66..131f52ec3b4b1680193bcb8d08462ab50cd26e1a 100644 (file)
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -59,10 +59,13 @@ static void send_udppacket(node_t *, vpn_packet_t *);
 
 unsigned replaywin = 16;
 bool localdiscovery = true;
+bool udp_discovery = true;
+int udp_discovery_interval = 9;
+int udp_discovery_timeout = 30;
 
 #define MAX_SEQNO 1073741824
 
-static void send_mtu_probe_packet(node_t *n, int len) {
+static void send_udp_probe_packet(node_t *n, int len) {
        vpn_packet_t packet;
        packet.offset = DEFAULT_PACKET_OFFSET;
        memset(DATA(&packet), 0, 14);
@@ -70,7 +73,7 @@ static void send_mtu_probe_packet(node_t *n, int len) {
        packet.len = len;
        packet.priority = 0;
 
-       logger(DEBUG_TRAFFIC, LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
+       logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %d to %s (%s)", len, n->name, n->hostname);
 
        send_udppacket(n, &packet);
 }
@@ -131,7 +134,7 @@ static void send_mtu_probe_handler(void *data) {
        /* After the initial discovery, a fourth packet is added to each batch with a
           size larger than the currently known PMTU, to test if the PMTU has increased. */
        if (n->mtuprobes >= 30 && n->maxmtu + 8 < MTU)
-               send_mtu_probe_packet(n, n->maxmtu + 8);
+               send_udp_probe_packet(n, n->maxmtu + 8);
 
        /* Probes are sent in batches of three, with random sizes between the
           lower and upper boundaries for the MTU thus far discovered. */
@@ -140,14 +143,14 @@ static void send_mtu_probe_handler(void *data) {
                if(n->minmtu < n->maxmtu)
                        len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
 
-               send_mtu_probe_packet(n, MAX(len, 64));
+               send_udp_probe_packet(n, MAX(len, 64));
        }
 
        /* In case local discovery is enabled, another packet is added to each batch,
           which will be broadcast to the local network. */
        if(localdiscovery && n->mtuprobes <= 10 && n->prevedge) {
                n->status.send_locally = true;
-               send_mtu_probe_packet(n, 16);
+               send_udp_probe_packet(n, 16);
                n->status.send_locally = false;
        }
 
@@ -175,9 +178,21 @@ void send_mtu_probe(node_t *n) {
        send_mtu_probe_handler(n);
 }
 
-static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
+static void udp_probe_timeout_handler(void *data) {
+       node_t *n = data;
+       if(!n->status.udp_confirmed)
+               return;
+
+       logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
+       n->status.udp_confirmed = false;
+       n->mtuprobes = 1;
+       n->minmtu = 0;
+       n->maxmtu = MTU;
+}
+
+static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
        if(!DATA(packet)[0]) {
-               logger(DEBUG_TRAFFIC, LOG_INFO, "Got MTU probe request %d from %s (%s)", packet->len, n->name, n->hostname);
+               logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
 
                /* It's a probe request, send back a reply */
 
@@ -207,19 +222,23 @@ static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
                length_t probelen = len;
                if (DATA(packet)[0] == 2) {
                        if (len < 3)
-                               logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) MTU probe reply from %s (%s)", n->name, n->hostname);
+                               logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) UDP probe reply from %s (%s)", n->name, n->hostname);
                        else {
                                uint16_t probelen16; memcpy(&probelen16, DATA(packet) + 1, 2); probelen = ntohs(probelen16);
                        }
                }
-               logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d MTU probe reply %d from %s (%s)", DATA(packet)[0], probelen, n->name, n->hostname);
+               logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], probelen, n->name, n->hostname);
 
                /* It's a valid reply: now we know bidirectional communication
                   is possible using the address and socket that the reply
                   packet used. */
-
                n->status.udp_confirmed = true;
 
+               if(udp_discovery) {
+                       timeout_del(&n->udp_ping_timeout);
+                       timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval){udp_discovery_timeout, 0});
+               }
+
                /* If we haven't established the PMTU yet, restart the discovery process. */
 
                if(n->mtuprobes > 30) {
@@ -493,7 +512,7 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
        inpkt->priority = 0;
 
        if(!DATA(inpkt)[12] && !DATA(inpkt)[13])
-               mtu_probe_h(n, inpkt, origlen);
+               udp_probe_h(n, inpkt, origlen);
        else
                receive_packet(n, inpkt);
        return true;
@@ -860,7 +879,7 @@ bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t
        if(type == PKT_PROBE) {
                inpkt.len = len;
                memcpy(DATA(&inpkt), data, len);
-               mtu_probe_h(from, &inpkt, len);
+               udp_probe_h(from, &inpkt, len);
                return true;
        }
 
@@ -935,6 +954,24 @@ static void try_sptps(node_t *n) {
        return;
 }
 
+// This function tries to establish a UDP tunnel to a node so that packets can be sent.
+// If a tunnel is already established, it makes sure it stays up.
+// This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
+static void try_udp(node_t* n) {
+       if(!udp_discovery)
+               return;
+
+       struct timeval now;
+       gettimeofday(&now, NULL);
+       struct timeval ping_tx_elapsed;
+       timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
+
+       if(ping_tx_elapsed.tv_sec >= udp_discovery_interval) {
+               send_udp_probe_packet(n, MAX(n->minmtu, 16));
+               n->udp_ping_sent = now;
+       }
+}
+
 // This function tries to establish a tunnel to a node (or its relay) so that packets can be sent (e.g. get SPTPS keys).
 // If a tunnel is already established, it tries to improve it (e.g. by trying to establish a UDP tunnel instead of TCP).
 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if TCP and/or UDP is usable.
@@ -958,7 +995,8 @@ static void try_tx(node_t *n) {
        if(!n->status.sptps && !via->status.validkey && via->last_req_key + 10 <= now.tv_sec) {
                send_req_key(via);
                via->last_req_key = now.tv_sec;
-       }
+       } else if(via == n || !n->status.sptps || (via->options >> 24) >= 4)
+               try_udp(via);
 
        /* If we don't know how to reach "via" yet, then try to reach it through a relay. */
        if(n->status.sptps && !via->status.udp_confirmed && via->nexthop != via && (via->nexthop->options >> 24) >= 4)

diff --git a/src/net_setup.c b/src/net_setup.c
index 1007f699d397db88c520b132c83f259cdb8567c7..97f3d2a4a9ea8dc6ce7639b4dfe5e557d6f94147 100644 (file)
--- a/src/net_setup.c
+++ b/src/net_setup.c
@@ -510,6 +510,10 @@ bool setup_myself_reloadable(void) {
        if(myself->options & OPTION_TCPONLY)
                myself->options |= OPTION_INDIRECT;
 
+       get_config_bool(lookup_config(config_tree, "UDPDiscovery"), &udp_discovery);
+       get_config_int(lookup_config(config_tree, "UDPDiscoveryInterval"), &udp_discovery_interval);
+       get_config_int(lookup_config(config_tree, "UDPDiscoveryTimeout"), &udp_discovery_timeout);
+
        get_config_bool(lookup_config(config_tree, "DirectOnly"), &directonly);
        get_config_bool(lookup_config(config_tree, "LocalDiscovery"), &localdiscovery);
 

diff --git a/src/node.c b/src/node.c
index 71f55b85a931bab56122a6449005c0d33be4a6ac..0da7e605a9cc246874bbfedcd9ae07f16c169d53 100644 (file)
--- a/src/node.c
+++ b/src/node.c
@@ -92,6 +92,7 @@ void free_node(node_t *n) {
        ecdsa_free(n->ecdsa);
        sptps_stop(&n->sptps);
 
+       timeout_del(&n->udp_ping_timeout);
        timeout_del(&n->mtutimeout);
 
        if(n->hostname)

diff --git a/src/node.h b/src/node.h
index bd10add706f1ba2db9e2ba7b1083c66b138908d2..1863db94f81b5c268cb39099ea1cea997d05d998 100644 (file)
--- a/src/node.h
+++ b/src/node.h
@@ -87,6 +87,9 @@ typedef struct node_t {
        uint32_t farfuture;                     /* Packets in a row that have arrived from the far future */
        unsigned char* late;                    /* Bitfield marking late packets */
 
+       struct timeval udp_ping_sent;           /* Last time a ping probe was sent */
+       timeout_t udp_ping_timeout;             /* Ping timeout event */
+
        length_t mtu;                           /* Maximum size of packets to send to this node */
        length_t minmtu;                        /* Probed minimum MTU */
        length_t maxmtu;                        /* Probed maximum MTU */

diff --git a/src/tincctl.c b/src/tincctl.c
index ba536197ca5e59eb093a423d3398d5c16a9a2e28..2e3820355bafe2bafedb30bc758d167f4b2c1f5f 100644 (file)
--- a/src/tincctl.c
+++ b/src/tincctl.c
@@ -1364,6 +1364,9 @@ const var_t variables[] = {
        {"ScriptsInterpreter", VAR_SERVER},
        {"StrictSubnets", VAR_SERVER},
        {"TunnelServer", VAR_SERVER},
+       {"UDPDiscovery", VAR_SERVER},
+       {"UDPDiscoveryInterval", VAR_SERVER},
+       {"UDPDiscoveryTimeout", VAR_SERVER},
        {"UDPRcvBuf", VAR_SERVER},
        {"UDPSndBuf", VAR_SERVER},
        {"VDEGroup", VAR_SERVER},