Update mud

Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>

.github/workflows/build.yml

@@ -0,0 +1,24 @@
+name: Build
+
+on: [push]
+
+jobs:
+  build:
+
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macOS-latest]
+
+    steps:
+    - uses: actions/checkout@v1
+    - name: Build glorytun
+      run: |
+          git submodule update --init --recursive
+          ./sodium.sh
+          make prefix=. install
+
+    - uses: actions/upload-artifact@v1
+      with:
+        name: ${{ matrix.os }}
+        path: ./bin

.gitignore

@@ -1,4 +1,4 @@
-*.o
+*.[ios]
 *.log
 *.scan
 *.cache
@@ -10,6 +10,7 @@ configure
 build-aux
 .deps
 .dirstamp
+.static
 glorytun
 build*
 VERSION

.gitmodules

@@ -1,6 +1,8 @@
 [submodule "mud"]
 	path = mud
 	url = https://github.com/angt/mud.git
+	ignore = dirty
 [submodule "argz"]
 	path = argz
 	url = https://github.com/angt/argz.git
+	ignore = dirty

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2015-2016, angt
+Copyright (c) 2015-2020, Adrien Gallouët <adrien@gallouet.fr>
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

Makefile

@@ -0,0 +1,34 @@
+NAME    := glorytun
+VERSION := $(shell ./version.sh)
+DIST    := $(NAME)-$(VERSION)
+
+CC      ?= cc
+DESTDIR ?=
+prefix  ?= /usr
+Q       := @
+
+CFLAGS := -std=c11 -O2 -Wall -fstack-protector-strong
+
+FLAGS := $(CFLAGS) $(LDFLAGS) $(CPPFLAGS)
+FLAGS += -DPACKAGE_NAME=\"$(NAME)\" -DPACKAGE_VERSION=\"$(VERSION)\"
+
+FLAGS += -I.static/$(CROSS)/libsodium-stable/src/libsodium/include
+FLAGS += -L.static/$(CROSS)/libsodium-stable/src/libsodium/.libs
+
+SRC := argz/argz.c mud/mud.c mud/aegis256/aegis256.c $(wildcard src/*.c)
+HDR := argz/argz.h mud/mud.h mud/aegis256/aegis256.h $(wildcard src/*.h)
+
+$(NAME): $(SRC) $(HDR)
+	@echo "$(NAME)"
+	$(Q)$(CC) $(FLAGS) -o $(NAME) $(SRC) -lsodium
+
+.PHONY: install
+install: $(NAME)
+	@echo "$(DESTDIR)$(prefix)/bin/$(NAME)"
+	$(Q)install -m 755 -d $(DESTDIR)$(prefix)/bin
+	$(Q)install -m 755 -s $(NAME) $(DESTDIR)$(prefix)/bin
+
+.PHONY: clean
+clean:
+	$(Q)rm -f "$(NAME)"
+	$(Q)rm -f "$(DIST).tar.gz"

Makefile.am

@@ -9,6 +9,8 @@ glorytun_SOURCES = \
     argz/argz.h \
     mud/mud.c \
     mud/mud.h \
+    mud/aegis256/aegis256.c \
+    mud/aegis256/aegis256.h \
     src/bench.c \
     src/bind.c \
     src/common.c \
@@ -29,11 +31,13 @@ glorytun_SOURCES = \
 
 EXTRA_DIST = \
     LICENSE \
+    Makefile \
     README.md \
     VERSION \
     autogen.sh \
     meson.build \
     mud/LICENSE \
     mud/README.md \
+    sodium.sh \
     systemd \
     version.sh

README.md

@@ -1,54 +1,52 @@
 # Glorytun
 
-Small, Simple and Stupid VPN over [mud](https://github.com/angt/mud).
+Glorytun is a small, simple and secure VPN over [mud](https://github.com/angt/mud).
 
-### Build and Install
+Please visit the [wiki](https://github.com/angt/glorytun/wiki) for how-to guides, tutorials, etc.
 
-Glorytun depends on [libsodium](https://github.com/jedisct1/libsodium) version >= 1.0.4.
+## Compatibility
 
-On Ubuntu, the following command should be sufficient:
+Glorytun only depends on [libsodium](https://github.com/jedisct1/libsodium) version >= 1.0.4.
+Which can be installed on a wide variety of systems.
 
-    $ sudo apt-get install meson libsodium-dev pkg-config
+Linux is the platform of choice but the code is standard so it should be easily ported on other posix systems.
+It was successfully tested on OpenBSD, FreeBSD and MacOS.
 
-Grab the latest release from github:
+IPv4 and IPv6 are supported.
+On Linux you can have both at the same time by binding `::`.
 
-    $ git clone https://github.com/angt/glorytun --recursive
-    $ cd glorytun
+## Features
 
-To build and install the latest version with [meson](http://mesonbuild.com):
+The key features of Glorytun come directly from mud:
 
-    $ meson build
-    $ sudo ninja -C build install
+ * **Fast and highly secure**
 
-The more classical autotools suite is also available.
+   Glorytun uses a new and very fast AEAD construction called AEGIS-256 if AES-NI is available otherwise ChaCha20-Poly1305 is used.
+   Of course, you can force the use of ChaCha20-Poly1305 for higher security.
+   All messages are encrypted, authenticated and timestamped to mitigate a large set of attacks.
+   This implies that the client and the server must be synchronized, an offset of 10min is accepted by default.
+   Perfect forward secrecy is also implemented with ECDH over Curve25519. Keys are rotated every hours.
 
-### Easy setup with systemd
+ * **Multipath and failover**
 
-Just call `glorytun-setup` and follow the instructions.
+   Connectivity is now crucial, especially in the SD-WAN world.
+   This feature allows a TCP connection (and all other protocols) to explore and exploit all available links without being disconnected.
+   Aggregation should work on all conventional links.
+   Only very high latency (+500ms) links are not recommended for now.
+   Backup paths are also supported, they will be used only in case of emergency, it is useful when aggregation is not your priority.
 
-First, setup the server:
+ * **Traffic shaping**
 
-    $ sudo glorytun-setup
-    Config filename (tun0):
-    Server ip (enter for server conf):
-    Bind to port (5000):
-    Server key (enter to generate a new one):
-    Your new key: NEW_KEY
-    Start glorytun now ? (enter to skip): y
+   Shaping is very important in network, it allows to keep a low latency without sacrificing the bandwidth.
+   It also helps the multipath scheduler to make better decisions.
+   Currently it must be configured by hand, but soon Glorytun will do it for you.
 
-Copy the new generated key and use it when configuring the client:
+ * **Path MTU discovery without ICMP**
 
-    $ sudo glorytun-setup
-    Config filename (tun0):
-    Server ip (enter for server conf): SERVER_IP
-    Server port (5000):
-    Server key (enter to generate a new one): NEW_KEY
-    Start glorytun now ? (enter to skip): y
-
-You can check easily if it works by looking at your public ip.
-To stop the service:
-
-    $ sudo systemctl stop glorytun@tun0
+   Bad MTU configuration is a very common problem in the world of VPN.
+   As it is critical, Glorytun will try to setup it correctly by guessing its value.
+   It doesn't rely on Next-hop MTU to avoid ICMP black holes.
+   In asymmetric situations the minimum MTU is selected.
 
 ---
 

configure.ac

@@ -4,7 +4,6 @@ AC_INIT([glorytun],
         [https://github.com/angt/glorytun/issues],
         [glorytun],
         [https://github.com/angt/glorytun])
-AC_DEFINE_UNQUOTED([VERSION_MAJOR], [m4_esyscmd([./version.sh major])])
 AC_CONFIG_SRCDIR([src/common.h])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_MACRO_DIR([m4])
@@ -15,7 +14,6 @@ AM_PROG_CC_C_O
 AC_PROG_CC_C99
 AC_USE_SYSTEM_EXTENSIONS
 AC_SEARCH_LIBS([socket], [socket])
-AC_SEARCH_LIBS([fmin], [m])
 AC_CHECK_LIB([rt], [clock_gettime])
 AC_CHECK_FUNCS([clock_gettime])
 PKG_CHECK_MODULES([libsodium], [libsodium >= 1.0.4])

meson.build

@@ -23,6 +23,7 @@ executable('glorytun', install: true,
   sources: [
     'argz/argz.c',
     'mud/mud.c',
+    'mud/aegis256/aegis256.c',
     'src/bench.c',
     'src/bind.c',
     'src/common.c',
@@ -37,7 +38,6 @@ executable('glorytun', install: true,
   ],
   dependencies: [
     dependency('libsodium', version : '>=1.0.4'),
-    cc.find_library('m', required : false)
   ]
 )
 

sodium.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+mkdir -p .static
+cd .static || exit 1
+
+file=LATEST.tar.gz
+url=https://download.libsodium.org/libsodium/releases
+dir="$PWD"
+
+[ -f "$file" ] || wget -q     "$url/$file" -O "$file"
+[ -f "$file" ] || curl -SsfLO "$url/$file"
+[ -f "$file" ] || {
+	echo "Couldn't download $url/$file"
+	exit 1
+}
+
+if [ "$1" ]; then
+	mkdir -p "$1"
+	cd "$1" || exit 1
+fi
+
+rm -rf libsodium-stable
+tar zxf "$dir/$file"
+cd libsodium-stable || exit 1
+
+NPROC=$(sysctl -n hw.ncpu || nproc) 2>/dev/null
+
+./configure ${1+--host=$1} --enable-minimal --disable-dependency-tracking --enable-static --disable-shared
+make "-j$((NPROC+1))"

src/bench.c

@@ -1,146 +1,105 @@
 #include "common.h"
 
-#include <math.h>
 #include <sodium.h>
 #include <string.h>
 #include <stdio.h>
-#include <sys/time.h>
 #include <time.h>
 #include <unistd.h>
-
-#if defined __APPLE__
-#include <mach/mach_time.h>
-#endif
+#include <inttypes.h>
 
 #include "../argz/argz.h"
+#include "../mud/aegis256/aegis256.h"
 
-#define STR_S(X) (((X) > 1) ? "s" : "")
-
-static unsigned long long
-gt_now(void)
-{
-#if defined __APPLE__
-    static mach_timebase_info_data_t mtid;
-    if (!mtid.denom)
-        mach_timebase_info(&mtid);
-    return (mach_absolute_time() * mtid.numer / mtid.denom) / 1000ULL;
-#elif defined CLOCK_MONOTONIC
-    struct timespec tv;
-    clock_gettime(CLOCK_MONOTONIC, &tv);
-    return tv.tv_sec * 1000000ULL + tv.tv_nsec / 1000ULL;
-#else
-    struct timeval tv;
-    gettimeofday(&tv, NULL);
-    return tv.tv_sec * 1000000ULL + tv.tv_usec;
-#endif
-}
+#define NPUBBYTES 32
+#define KEYBYTES  32
+#define ABYTES    16
 
 int
 gt_bench(int argc, char **argv)
 {
-    unsigned long precision = 10;
-    size_t bufsize = 64 * 1024;
-    unsigned long duration = 1000;
-
     struct argz bench_argz[] = {
         {"aes|chacha", NULL, NULL, argz_option},
-        {"precision", "EXPONENT", &precision, argz_ulong},
-        {"bufsize", "BYTES", &bufsize, argz_bytes},
-        {"duration", "SECONDS", &duration, argz_time},
         {NULL}};
 
     if (argz(bench_argz, argc, argv))
         return 1;
 
-    if (duration == 0 || bufsize == 0)
-        return 0;
-
     if (sodium_init() == -1) {
         gt_log("sodium init failed\n");
         return 1;
     }
 
-    duration /= 1000;
-
     int term = isatty(1);
+    int aes = argz_is_set(bench_argz, "aes");
     int chacha = argz_is_set(bench_argz, "chacha");
 
-    if (!chacha && !crypto_aead_aes256gcm_is_available()) {
-        gt_log("aes is not available on your platform\n");
-        return 1;
+    if (!aegis256_is_available()) {
+        if (aes) {
+            gt_log("aes is not available on your platform\n");
+            return 1;
+        }
+        chacha = 1;
     }
 
-    unsigned char *buf = calloc(1, bufsize + crypto_aead_aes256gcm_ABYTES);
-
-    if (!buf) {
-        perror("calloc");
-        return 1;
-    }
-
-    unsigned char npub[crypto_aead_aes256gcm_NPUBBYTES];
-    unsigned char key[crypto_aead_aes256gcm_KEYBYTES];
+    unsigned char buf[1450 + ABYTES];
+    unsigned char npub[NPUBBYTES];
+    unsigned char key[KEYBYTES];
 
+    memset(buf, 0, sizeof(buf));
     randombytes_buf(npub, sizeof(npub));
     randombytes_buf(key, sizeof(key));
 
     if (term) {
-        printf("\n");
-        printf("  %-10s %s\n", "bench", chacha ? "chacha20poly1305" : "aes256gcm");
-        printf("  %-10s %s\n", "libsodium", sodium_version_string());
-        printf("\n");
-        printf("  %-10s 2^(-%lu)\n", "precision", precision);
-        printf("  %-10s %zu byte%s\n", "bufsize", bufsize, STR_S(bufsize));
-        printf("  %-10s %lu second%s\n", "duration", duration, STR_S(duration));
-        printf("\n");
-        printf("------------------------------------------------------------\n");
-        printf(" %3s %9s %14s %14s %14s\n", "2^n", "min", "avg", "max", "delta");
-        printf("------------------------------------------------------------\n");
+        printf("cipher: %s\n\n", GT_CIPHER(chacha));
+        printf("  size       min           mean            max      \n");
+        printf("----------------------------------------------------\n");
     }
 
-    for (int i = 0; !gt_quit && bufsize >> i; i++) {
-        unsigned long long total_dt = 0ULL;
-        size_t total_bytes = 0;
-        double mbps = 0.0;
-        double mbps_min = INFINITY;
-        double mbps_max = 0.0;
-        double mbps_dlt = INFINITY;
+    int64_t size = 20;
 
-        while (!gt_quit && mbps_dlt > ldexp(mbps, -precision)) {
-            crypto_aead_aes256gcm_state ctx;
+    for (int i = 0; !gt_quit && size <= 1450; i++) {
+        struct {
+            int64_t min, mean, max, n;
+        } mbps = { .n = 0 };
 
-            if (!chacha)
-                crypto_aead_aes256gcm_beforenm(&ctx, key);
+        int64_t bytes_max = (int64_t)1 << 24;
 
-            unsigned long long now = gt_now();
-            double mbps_old = mbps;
-            size_t bytes = 0;
+        while (!gt_quit && mbps.n < 10) {
+            int64_t bytes = 0;
+            int64_t base = (int64_t)clock();
 
-            gt_alarm = 0;
-            alarm(duration);
-
-            while (!gt_quit && !gt_alarm) {
+            while (!gt_quit && bytes <= bytes_max) {
                 if (chacha) {
                     crypto_aead_chacha20poly1305_encrypt(
-                        buf, NULL, buf, 1ULL << i, NULL, 0, NULL, npub, key);
+                            buf, NULL, buf, size, NULL, 0, NULL, npub, key);
                 } else {
-                    crypto_aead_aes256gcm_encrypt_afternm(
-                        buf, NULL, buf, 1ULL << i, NULL, 0, NULL, npub,
-                        (const crypto_aead_aes256gcm_state *)&ctx);
+                    aegis256_encrypt(buf, NULL, buf, size, NULL, 0, npub, key);
                 }
-                bytes += 1ULL << i;
+                bytes += size;
             }
 
-            total_dt += gt_now() - now;
-            total_bytes += bytes;
+            int64_t dt = (int64_t)clock() - base;
+            bytes_max = (bytes * (CLOCKS_PER_SEC / 3)) / dt;
+            int64_t _mbps = (8 * bytes * CLOCKS_PER_SEC) / (dt * 1000 * 1000);
 
-            mbps = (total_bytes * 8.0) / total_dt;
-            mbps_min = fmin(mbps_min, mbps);
-            mbps_max = fmax(mbps_max, mbps);
-            mbps_dlt = fabs(mbps_old - mbps);
+            if (!mbps.n++) {
+                mbps.min = _mbps;
+                mbps.max = _mbps;
+                mbps.mean = _mbps;
+                continue;
+            }
+
+            if (mbps.min > _mbps)
+                mbps.min = _mbps;
+
+            if (mbps.max < _mbps)
+                mbps.max = _mbps;
+
+            mbps.mean += (_mbps - mbps.mean) / mbps.n;
 
             if (term) {
-                printf("\r %3i %9.2f Mbps %9.2f Mbps %9.2f Mbps %9.2e",
-                       i, mbps_min, mbps, mbps_max, mbps_dlt);
+                printf("\r %5"PRIi64" %9"PRIi64" Mbps %9"PRIi64" Mbps %9"PRIi64" Mbps",
+                        size, mbps.min, mbps.mean, mbps.max);
                 fflush(stdout);
             }
         }
@@ -148,12 +107,12 @@ gt_bench(int argc, char **argv)
         if (term) {
             printf("\n");
         } else {
-            printf("%i %.2f %.2f %.2f\n", i, mbps_min, mbps, mbps_max);
+            printf("bench %s %"PRIi64" %"PRIi64" %"PRIi64" %"PRIi64"\n",
+                    GT_CIPHER(chacha), size, mbps.min, mbps.mean, mbps.max);
         }
-    }
 
-    printf("\n");
-    free(buf);
+        size += 2 * 5 * 13;
+    }
 
     return 0;
 }

src/bind.c

@@ -6,25 +6,25 @@
 #include "tun.h"
 
 #include <fcntl.h>
-#include <netinet/in.h>
 #include <stdio.h>
+#include <sys/select.h>
 
 #include "../argz/argz.h"
 #include "../mud/mud.h"
 
+#include <sodium.h>
+
 #ifndef O_CLOEXEC
 #define O_CLOEXEC 0
 #endif
 
-#define GT_MTU(X) ((X)-28)
-
-static void
+static int
 fd_set_nonblock(int fd)
 {
-    int ret;
-
     if (fd == -1)
-        return;
+        return 0;
+
+    int ret;
 
     do {
         ret = fcntl(fd, F_GETFL, 0);
@@ -36,8 +36,7 @@ fd_set_nonblock(int fd)
         ret = fcntl(fd, F_SETFL, flags | O_NONBLOCK);
     } while (ret == -1 && errno == EINTR);
 
-    if (ret == -1)
-        perror("fcntl O_NONBLOCK");
+    return ret;
 }
 
 static int
@@ -50,7 +49,7 @@ gt_setup_secretkey(struct mud *mud, const char *keyfile)
     } while (fd == -1 && errno == EINTR);
 
     if (fd == -1) {
-        perror("open keyfile");
+        gt_log("couldn't open %s: %s\n", keyfile, strerror(errno));
         return -1;
     }
 
@@ -67,13 +66,13 @@ gt_setup_secretkey(struct mud *mud, const char *keyfile)
             break;
         }
 
-        size += r;
+        size += (size_t)r;
     }
 
     close(fd);
 
     if (size != sizeof(buf)) {
-        gt_log("unable to read secret key\n");
+        gt_log("couldn't read secret key\n");
         return -1;
     }
 
@@ -88,14 +87,15 @@ gt_setup_secretkey(struct mud *mud, const char *keyfile)
 }
 
 static size_t
-gt_setup_mtu(struct mud *mud, const char *tun_name)
+gt_setup_mtu(struct mud *mud, size_t old, const char *tun_name)
 {
     size_t mtu = mud_get_mtu(mud);
 
-    gt_log("setup MTU to %zu on interface %s\n", mtu, tun_name);
+    if (!mtu || mtu == old)
+        return mtu;
 
     if (iface_set_mtu(tun_name, mtu) == -1)
-        perror("tun_set_mtu");
+        gt_log("couldn't setup MTU at %zu on device %s\n", mtu, tun_name);
 
     return mtu;
 }
@@ -109,13 +109,6 @@ gt_bind(int argc, char **argv)
     unsigned short peer_port = bind_port;
     const char *dev = NULL;
     const char *keyfile = NULL;
-    size_t bufsize = 64 * 1024 * 1024;
-    size_t mtu = 1500;
-
-    struct argz mtuz[] = {
-        {"auto", NULL, NULL, argz_option},
-        {NULL, "BYTES", &mtu, argz_bytes},
-        {NULL}};
 
     struct argz toz[] = {
         {NULL, "IPADDR", &peer_addr, argz_addr},
@@ -127,73 +120,63 @@ gt_bind(int argc, char **argv)
         {NULL, "PORT", &bind_port, argz_ushort},
         {"to", NULL, &toz, argz_option},
         {"dev", "NAME", &dev, argz_str},
-        {"mtu", NULL, &mtuz, argz_option},
         {"keyfile", "FILE", &keyfile, argz_str},
         {"chacha", NULL, NULL, argz_option},
         {"persist", NULL, NULL, argz_option},
-        {"bufsize", "BYTES", &bufsize, argz_bytes},
         {NULL}};
 
     if (argz(bindz, argc, argv))
         return 1;
 
-    gt_set_port((struct sockaddr *)&bind_addr, bind_port);
-    gt_set_port((struct sockaddr *)&peer_addr, peer_port);
-
-    unsigned char *buf = malloc(bufsize);
-
-    if (!buf) {
-        perror("malloc");
+    if (str_empty(keyfile)) {
+        gt_log("a keyfile is needed!\n");
         return 1;
     }
 
-    int mtu_auto = argz_is_set(mtuz, "auto");
+    gt_set_port((struct sockaddr *)&bind_addr, bind_port);
+    gt_set_port((struct sockaddr *)&peer_addr, peer_port);
+
     int chacha = argz_is_set(bindz, "chacha");
     int persist = argz_is_set(bindz, "persist");
 
-    int icmp_fd = -1;
-
-    if (mtu_auto && (peer_addr.ss_family == AF_INET)) {
-        icmp_fd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
-
-        if (icmp_fd == -1)
-            gt_log("couldn't create ICMP socket\n");
+    if (sodium_init() == -1) {
+        gt_log("couldn't init sodium\n");
+        return 1;
     }
 
-    struct mud *mud = mud_create((struct sockaddr *)&bind_addr);
+    unsigned char hashkey[crypto_shorthash_KEYBYTES];
+    randombytes_buf(hashkey, sizeof(hashkey));
 
-    if (!mud) {
+    struct mud *mud = mud_create((struct sockaddr *)&bind_addr);
+    const int mud_fd = mud_get_fd(mud);
+
+    if (mud_fd == -1) {
         gt_log("couldn't create mud\n");
         return 1;
     }
 
-    if (str_empty(keyfile)) {
-        if (mud_set_key(mud, NULL, 0)) {
-            gt_log("couldn't generate a new key\n");
-            return 1;
-        }
-    } else {
-        if (gt_setup_secretkey(mud, keyfile))
-            return 1;
-    }
+    if (gt_setup_secretkey(mud, keyfile))
+        return 1;
 
     if (!chacha && mud_set_aes(mud)) {
-        gt_log("AES is not available\n");
+        gt_log("AES is not available, enjoy ChaCha20!\n");
         chacha = 1;
     }
 
-    mud_set_mtu(mud, GT_MTU(mtu));
-
     char tun_name[64];
-    int tun_fd = tun_create(tun_name, sizeof(tun_name) - 1, dev);
+    const int tun_fd = tun_create(tun_name, sizeof(tun_name), dev);
 
     if (tun_fd == -1) {
         gt_log("couldn't create tun device\n");
         return 1;
     }
 
-    if (tun_set_persist(tun_fd, persist) == -1)
-        perror("tun_set_persist");
+    size_t mtu = gt_setup_mtu(mud, 0, tun_name);
+
+    if (tun_set_persist(tun_fd, persist) == -1) {
+        gt_log("couldn't %sable persist mode on device %s\n",
+                persist ? "en" : "dis", tun_name);
+    }
 
     if (peer_addr.ss_family) {
         if (mud_peer(mud, (struct sockaddr *)&peer_addr)) {
@@ -202,59 +185,104 @@ gt_bind(int argc, char **argv)
         }
     }
 
-    mtu = gt_setup_mtu(mud, tun_name);
-
-    int ctl_fd = ctl_create("/run/" PACKAGE_NAME, tun_name);
+    const int ctl_fd = ctl_create(tun_name);
 
     if (ctl_fd == -1) {
-        perror("ctl_create");
+        char dir[64];
+        if (ctl_rundir(dir, sizeof(dir))) {
+            gt_log("couldn't create %s/%s: %s\n",
+                    dir, tun_name, strerror(errno));
+        } else {
+            gt_log("couldn't find a writable run/tmp directory\n");
+        }
         return 1;
     }
 
-    int mud_fd = mud_get_fd(mud);
+    if (//fd_set_nonblock(tun_fd) ||
+        //fd_set_nonblock(mud_fd) ||
+        fd_set_nonblock(ctl_fd)) {
+        gt_log("couldn't setup non-blocking fds\n");
+        return 1;
+    }
 
-    fd_set_nonblock(tun_fd);
-    fd_set_nonblock(mud_fd);
-    fd_set_nonblock(icmp_fd);
-    fd_set_nonblock(ctl_fd);
+    const long pid = (long)getpid();
 
-    gt_log("running...\n");
+    gt_log("running on device %s as pid %li\n", tun_name, pid);
 
-    fd_set rfds;
+    fd_set rfds, wfds;
     FD_ZERO(&rfds);
+    FD_ZERO(&wfds);
 
-    int last_fd = 1 + MAX(tun_fd, MAX(mud_fd, MAX(ctl_fd, icmp_fd)));
+    int tun_can_read = 0;
+    int tun_can_write = 0;
+    int mud_can_read = 0;
+    int mud_can_write = 0;
+
+    int last_fd = MAX(tun_fd, mud_fd);
+    last_fd = 1 + MAX(last_fd, ctl_fd);
+
+    __attribute__((aligned(16)))
+        unsigned char buf[1500];
 
     while (!gt_quit) {
-        FD_SET(tun_fd, &rfds);
-        FD_SET(mud_fd, &rfds);
+        if (tun_can_write) FD_CLR(tun_fd, &wfds); else FD_SET(tun_fd, &wfds);
+        if (mud_can_write) FD_CLR(mud_fd, &wfds); else FD_SET(mud_fd, &wfds);
+        if (tun_can_read)  FD_CLR(tun_fd, &rfds); else FD_SET(tun_fd, &rfds);
+        if (mud_can_read)  FD_CLR(mud_fd, &rfds); else FD_SET(mud_fd, &rfds);
+
         FD_SET(ctl_fd, &rfds);
 
-        if (icmp_fd != -1)
-            FD_SET(icmp_fd, &rfds);
+        struct timeval tv = { 0 };
+        int update = mud_update(mud);
 
-        if (select(last_fd, &rfds, NULL, NULL, NULL) == -1) {
-            if (errno != EBADF)
-                continue;
-            perror("select");
-            return 1;
+        if (update >= 0) {
+            if (mud_can_read && tun_can_write) {
+            } else if (tun_can_read && mud_can_write) {
+                if (update)
+                    tv.tv_usec = 1000;
+            } else {
+                tv.tv_usec = 100000;
+            }
         }
 
-        if (icmp_fd != -1 && FD_ISSET(icmp_fd, &rfds)) {
-            struct ip_common ic;
-            struct sockaddr_storage ss;
-            socklen_t sl = sizeof(ss);
+        const int ret = select(last_fd, &rfds, &wfds, NULL, update < 0 ? NULL : &tv);
 
-            ssize_t r = recvfrom(icmp_fd, buf, bufsize, 0,
-                                 (struct sockaddr *)&ss, &sl);
-
-            if (!ip_get_common(&ic, buf, r)) {
-                size_t mtu = ip_get_mtu(&ic, buf, r);
-                if (mtu > 0) {
-                    gt_log("received MTU from ICMP: %zu\n", mtu);
-                    mud_set_mtu(mud, GT_MTU(mtu));
-                }
+        if (ret == -1) {
+            if (errno == EBADF) {
+                perror("select");
+                break;
             }
+            continue;
+        }
+
+        if (FD_ISSET(tun_fd, &rfds)) tun_can_read  = 1;
+        if (FD_ISSET(tun_fd, &wfds)) tun_can_write = 1;
+        if (FD_ISSET(mud_fd, &rfds)) mud_can_read  = 1;
+        if (FD_ISSET(mud_fd, &wfds)) mud_can_write = 1;
+
+        mtu = gt_setup_mtu(mud, mtu, tun_name);
+
+        if (tun_can_read && mud_can_write && !mud_send_wait(mud)) {
+            struct ip_common ic;
+            int r = tun_read(tun_fd, buf, sizeof(buf));
+
+            if (r > 0 && !ip_get_common(&ic, buf, r)) {
+                mud_send(mud, buf, (size_t)r);
+                mud_can_write = 0;
+            }
+
+            tun_can_read = 0;
+        }
+
+        if (mud_can_read && tun_can_write)  {
+            int r = mud_recv(mud, buf, sizeof(buf));
+
+            if (r > 0 && ip_is_valid(buf, r)) {
+                tun_write(tun_fd, buf, (size_t)r);
+                tun_can_write = 0;
+            }
+
+            mud_can_read = 0;
         }
 
         if (FD_ISSET(ctl_fd, &rfds)) {
@@ -272,9 +300,26 @@ gt_bind(int argc, char **argv)
                 case CTL_NONE:
                     break;
                 case CTL_STATE:
-                    if (mud_set_state(mud, (struct sockaddr *)&req.path.addr, req.path.state))
+                    if (mud_set_state(mud, (struct sockaddr *)&req.path.addr,
+                                      req.path.state,
+                                      req.path.rate_tx,
+                                      req.path.rate_rx,
+                                      req.path.beat,
+                                      req.path.fixed_rate))
                         res.ret = errno;
                     break;
+                case CTL_CONF:
+                    if (mud_set_conf(mud, &req.conf))
+                        res.ret = errno;
+                    break;
+                case CTL_STATUS:
+                    memcpy(res.status.tun_name, tun_name, sizeof(tun_name)); // XXX
+                    res.status.pid = pid;
+                    res.status.mtu = mtu;
+                    res.status.chacha = chacha;
+                    res.status.bind = bind_addr;
+                    res.status.peer = peer_addr;
+                    break;
                 case CTL_PATH_STATUS:
                     {
                         unsigned count = 0;
@@ -288,39 +333,20 @@ gt_bind(int argc, char **argv)
                         res.ret = EAGAIN;
 
                         for (unsigned i = 0; i < count; i++) {
-                            if (i && sendto(ctl_fd, &res, sizeof(res), 0,
-                                            (const struct sockaddr *)&ss, sl) == -1)
-                                perror("sendto(ctl)");
                             memcpy(&res.path_status, &paths[i], sizeof(struct mud_path));
+                            if (sendto(ctl_fd, &res, sizeof(res), 0,
+                                       (const struct sockaddr *)&ss, sl) == -1)
+                                perror("sendto(ctl)");
                         }
 
+                        free(paths);
                         res.ret = 0;
                     }
                     break;
-                case CTL_MTU:
-                    mud_set_mtu(mud, GT_MTU((size_t)req.mtu));
-                    res.mtu = gt_setup_mtu(mud, tun_name);
-                    mtu = res.mtu;
-                    break;
-                case CTL_TC:
-                    if (mud_set_tc(mud, req.tc))
+                case CTL_BAD:
+                    if (mud_get_bad(mud, &res.bad))
                         res.ret = errno;
                     break;
-                case CTL_TIMEOUT:
-                    if (mud_set_send_timeout(mud, req.timeout))
-                        res.ret = errno;
-                    break;
-                case CTL_TIMETOLERANCE:
-                    if (mud_set_time_tolerance(mud, req.timetolerance))
-                        res.ret = errno;
-                    break;
-                case CTL_STATUS:
-                    res.status.mtu = mtu;
-                    res.status.mtu_auto = (icmp_fd != -1);
-                    res.status.chacha = chacha;
-                    res.status.bind = bind_addr;
-                    res.status.peer = peer_addr;
-                    break;
                 }
                 if (sendto(ctl_fd, &res, sizeof(res), 0,
                            (const struct sockaddr *)&ss, sl) == -1)
@@ -329,98 +355,12 @@ gt_bind(int argc, char **argv)
                 perror("recvfrom(ctl)");
             }
         }
-
-        if (FD_ISSET(tun_fd, &rfds)) {
-            size_t size = 0;
-
-            while (bufsize - size >= mtu) {
-                const int r = tun_read(tun_fd, &buf[size], bufsize - size);
-
-                if (r <= 0 || r > mtu)
-                    break;
-
-                struct ip_common ic;
-
-                if (ip_get_common(&ic, &buf[size], r) || ic.size != r)
-                    break;
-
-                size += r;
-            }
-
-            size_t p = 0;
-
-            while (p < size) {
-                size_t q = p;
-                int tc = 0;
-
-                while (q < size) {
-                    struct ip_common ic;
-
-                    if ((ip_get_common(&ic, &buf[q], size - q)) ||
-                        (ic.size > size - q))
-                        break;
-
-                    if (q + ic.size > p + mtu)
-                        break;
-
-                    q += ic.size;
-
-                    if (tc < (ic.tc & 0xFC))
-                        tc = ic.tc & 0xFC;
-                }
-
-                if (p >= q)
-                    break;
-
-                int r = mud_send(mud, &buf[p], q - p, tc);
-
-                if (r == -1 && errno == EMSGSIZE) {
-                    mtu = gt_setup_mtu(mud, tun_name);
-                } else {
-                    if (r == -1 && errno != EAGAIN)
-                        perror("mud_send");
-                }
-
-                p = q;
-            }
-        }
-
-        if (FD_ISSET(mud_fd, &rfds)) {
-            size_t size = 0;
-
-            while (bufsize - size >= mtu) {
-                const int r = mud_recv(mud, &buf[size], bufsize - size);
-
-                if (r <= 0) {
-                    if (r == -1 && errno != EAGAIN)
-                        perror("mud_recv");
-                    break;
-                }
-
-                size += r;
-            }
-
-            size_t p = 0;
-
-            while (p < size) {
-                struct ip_common ic;
-
-                if ((ip_get_common(&ic, &buf[p], size - p)) ||
-                    (ic.size > size - p))
-                    break;
-
-                tun_write(tun_fd, &buf[p], ic.size);
-
-                p += ic.size;
-            }
-        }
     }
 
-    if (gt_reload && tun_fd >= 0) {
-        if (tun_set_persist(tun_fd, 1) == -1)
-            perror("tun_set_persist");
-    }
+    if (gt_reload && tun_fd >= 0)
+        tun_set_persist(tun_fd, 1);
 
+    mud_delete(mud);
     ctl_delete(ctl_fd);
 
     return 0;

src/common.c

@@ -64,7 +64,7 @@ gt_fromhex(uint8_t *dst, size_t dst_size, const char *src, size_t src_size)
         if (_0_(a == -1 || b == -1))
             return -1;
 
-        *dst++ = (a << 4) | b;
+        *dst++ = (uint8_t)((a << 4) | b);
     }
 
     return 0;
@@ -99,14 +99,18 @@ gt_get_port(struct sockaddr *sa)
 int
 gt_toaddr(char *str, size_t size, struct sockaddr *sa)
 {
+    if (str)
+        str[0] = 0;
+
     switch (sa->sa_family) {
     case AF_INET:
         return -!inet_ntop(AF_INET,
-                           &((struct sockaddr_in *)sa)->sin_addr, str, size);
+                &((struct sockaddr_in *)sa)->sin_addr, str, (socklen_t)size);
     case AF_INET6:
         return -!inet_ntop(AF_INET6,
-                           &((struct sockaddr_in6 *)sa)->sin6_addr, str, size);
+                &((struct sockaddr_in6 *)sa)->sin6_addr, str, (socklen_t)size);
     }
 
+    errno = EAFNOSUPPORT;
     return -1;
 }

src/common.h

@@ -50,6 +50,8 @@
 #undef MIN
 #define MIN(x,y) ({ __typeof__(x) X=(x); __typeof__(y) Y=(y); X < Y ? X : Y; })
 
+#define GT_CIPHER(x)  ((x) ? "chacha20poly1305" : "aegis256")
+
 extern volatile sig_atomic_t gt_alarm;
 extern volatile sig_atomic_t gt_reload;
 extern volatile sig_atomic_t gt_quit;

src/ctl.c

@@ -5,26 +5,54 @@
 #include <stdio.h>
 #include <unistd.h>
 #include <dirent.h>
+#include <libgen.h>
 #include <sys/socket.h>
+#include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/un.h>
 
-#define CTL_BIND_MAX 64
+char *
+ctl_rundir(char *dst, size_t size)
+{
+    if (dst && size)
+        dst[0] = 0;
+
+    const char *fmt[] = {
+        "/run/user/%u/" PACKAGE_NAME,
+        "/run/"         PACKAGE_NAME ".%u",
+        "/var/run/"     PACKAGE_NAME ".%u",
+        "/tmp/"         PACKAGE_NAME ".%u",
+    };
+
+    for (unsigned i = 0; i < COUNT(fmt); i++) {
+        char path[128];
+        int ret = snprintf(dst, size, fmt[i], geteuid());
+
+        if ((ret <= 0) ||
+            ((size_t)ret >= size) ||
+            ((size_t)ret >= sizeof(path)))
+            continue;
+
+        memcpy(path, dst, (size_t)ret + 1);
+        char *p = dirname(path);
+
+        if (p && !access(p, W_OK))
+            return dst;
+    }
+
+    errno = EINTR;
+    return NULL;
+}
 
 int
 ctl_reply(int fd, struct ctl_msg *res, struct ctl_msg *req)
 {
-    if (fd == -1) {
-        errno = EINVAL;
-        return -1;
-    }
-
     if ((send(fd, req, sizeof(struct ctl_msg), 0) == -1) ||
         (recv(fd, res, sizeof(struct ctl_msg), 0) == -1))
         return -1;
 
     if (res->type != req->type || !res->reply) {
-        errno = EINTR;
+        errno = EBADMSG;
         return -1;
     }
 
@@ -43,17 +71,15 @@ ctl_setsun(struct sockaddr_un *dst, const char *dir, const char *file)
         .sun_family = AF_UNIX,
     };
 
-    const char *path[] = {dir, "/", file};
-    const size_t len = sizeof(sun.sun_path) - 1;
+    int ret = snprintf(sun.sun_path, sizeof(sun.sun_path), "%s/%s", dir, file);
 
-    if (str_cat(sun.sun_path, len, path, COUNT(path)) == len) {
-        if (str_cat(NULL, len + 1, path, COUNT(path)) > len) {
-            errno = EINVAL;
-            return -1;
-        }
+    if (ret <= 0 || (size_t)ret >= sizeof(sun.sun_path)) {
+        errno = EINVAL;
+        return -1;
     }
 
-    *dst = sun;
+    if (dst)
+        *dst = sun;
 
     return 0;
 }
@@ -61,40 +87,31 @@ ctl_setsun(struct sockaddr_un *dst, const char *dir, const char *file)
 static int
 ctl_bind(int fd, const char *dir, const char *file)
 {
-    char tmp[32];
+    char name[10] = { [0] = '.' };
     struct sockaddr_un sun;
 
     if (str_empty(file)) {
-        for (int i = 0; i < CTL_BIND_MAX; i++) {
-            if (snprintf(tmp, sizeof(tmp), ".%i", i) >= sizeof(tmp))
-                return -1;
+        unsigned pid = (unsigned)getpid();
 
-            if (ctl_setsun(&sun, dir, tmp))
-                return -1;
+        for (size_t i = 1; i < sizeof(name) - 1; i++, pid >>= 4)
+            name[i] = "uncopyrightables"[pid & 15];
 
-            if (!bind(fd, (struct sockaddr *)&sun, sizeof(sun)))
-                return 0;
-        }
-    } else {
-        if (ctl_setsun(&sun, dir, file))
-            return -1;
-
-        unlink(sun.sun_path);
-
-        if (!bind(fd, (struct sockaddr *)&sun, sizeof(sun)))
-            return 0;
+        file = name;
     }
 
-    return -1;
+    if (ctl_setsun(&sun, dir, file))
+        return -1;
+
+    if (unlink(sun.sun_path) && errno != ENOENT)
+        return -1;
+
+    return bind(fd, (struct sockaddr *)&sun, sizeof(sun));
 }
 
 void
 ctl_delete(int fd)
 {
-    if (fd == -1)
-        return;
-
-    struct sockaddr_storage ss;
+    struct sockaddr_storage ss = { 0 };
     socklen_t sslen = sizeof(ss);
 
     if ((getsockname(fd, (struct sockaddr *)&ss, &sslen) == 0) &&
@@ -105,21 +122,18 @@ ctl_delete(int fd)
 }
 
 int
-ctl_create(const char *dir, const char *file)
+ctl_create(const char *file)
 {
-    if (str_empty(dir)) {
-        errno = EINVAL;
+    char dir[64];
+
+    if (!ctl_rundir(dir, sizeof(dir)))
         return -1;
-    }
 
     if (mkdir(dir, 0700) == -1 && errno != EEXIST)
         return -1;
 
     int fd = socket(AF_UNIX, SOCK_DGRAM, 0);
 
-    if (fd == -1)
-        return -1;
-
     if (ctl_bind(fd, dir, file)) {
         int err = errno;
         close(fd);
@@ -131,17 +145,16 @@ ctl_create(const char *dir, const char *file)
 }
 
 int
-ctl_connect(const char *dir, const char *file)
+ctl_connect(const char *file)
 {
-    if (str_empty(dir)) {
-        errno = EINVAL;
+    char dir[64];
+    DIR *dp = NULL;
+
+    if (!ctl_rundir(dir, sizeof(dir)))
         return -1;
-    }
 
     if (!file) {
-        DIR *dp = opendir(dir);
-
-        if (!dp)
+        if (dp = opendir(dir), !dp)
             return -1;
 
         struct dirent *d = NULL;
@@ -152,27 +165,34 @@ ctl_connect(const char *dir, const char *file)
 
             if (file) {
                 closedir(dp);
-                errno = ENOENT;
-                return -1;
+                return CTL_ERROR_MANY;
             }
 
             file = &d->d_name[0];
         }
 
-        closedir(dp);
+        if (!file) {
+            closedir(dp);
+            return CTL_ERROR_NONE;
+        }
     }
 
     struct sockaddr_un sun;
+    const int ret = ctl_setsun(&sun, dir, file);
 
-    if (ctl_setsun(&sun, dir, file))
+    if (dp) {
+        int err = errno;
+        closedir(dp);
+        errno = err;
+    }
+
+    if (ret)
         return -1;
 
-    int fd = ctl_create(dir, NULL);
+    int fd = socket(AF_UNIX, SOCK_DGRAM, 0);
 
-    if (fd == -1)
-        return -1;
-
-    if (connect(fd, (struct sockaddr *)&sun, sizeof(sun))) {
+    if (ctl_bind(fd, dir, NULL) ||
+        connect(fd, (struct sockaddr *)&sun, sizeof(sun))) {
         int err = errno;
         ctl_delete(fd);
         errno = err;

src/ctl.h

@@ -4,15 +4,16 @@
 
 #include <sys/socket.h>
 
+#define CTL_ERROR_NONE (-2)
+#define CTL_ERROR_MANY (-3)
+
 enum ctl_type {
     CTL_NONE = 0,
     CTL_STATE,
+    CTL_CONF,
     CTL_STATUS,
-    CTL_MTU,
-    CTL_TC,
-    CTL_TIMEOUT,
-    CTL_TIMETOLERANCE,
     CTL_PATH_STATUS,
+    CTL_BAD,
 };
 
 struct ctl_msg {
@@ -22,23 +23,27 @@ struct ctl_msg {
         struct {
             struct sockaddr_storage addr;
             enum mud_state state;
+            unsigned long rate_tx;
+            unsigned long rate_rx;
+            unsigned long beat;
+            unsigned char fixed_rate;
         } path;
-        struct mud_path path_status;
         struct {
+            char tun_name[64];
+            long pid;
             size_t mtu;
-            int mtu_auto;
             int chacha;
             struct sockaddr_storage bind;
             struct sockaddr_storage peer;
         } status;
-        int mtu;
-        int tc;
-        unsigned long timeout;
-        unsigned long timetolerance;
+        struct mud_conf conf;
+        struct mud_path path_status;
+        struct mud_bad bad;
     };
 };
 
-int  ctl_create  (const char *, const char *);
-int  ctl_connect (const char *, const char *);
-int  ctl_reply   (int, struct ctl_msg *, struct ctl_msg *);
-void ctl_delete  (int);
+char *ctl_rundir  (char *, size_t);
+int   ctl_create  (const char *);
+int   ctl_connect (const char *);
+int   ctl_reply   (int, struct ctl_msg *, struct ctl_msg *);
+void  ctl_delete  (int);

src/iface.c

@@ -1,24 +1,27 @@
 #include "common.h"
 #include "iface.h"
-#include "str.h"
 
+#include <stdio.h>
 #include <net/if.h>
 #include <sys/ioctl.h>
 
 int
-iface_set_mtu(const char *dev_name, int mtu)
+iface_set_mtu(const char *dev_name, size_t mtu)
 {
+    if (mtu > (size_t)0xFFFF) {
+        errno = EINVAL;
+        return -1;
+    }
+
     struct ifreq ifr = {
-        .ifr_mtu = mtu,
+        .ifr_mtu = (int)mtu,
     };
 
-    const size_t len = sizeof(ifr.ifr_name) - 1;
+    int ret = snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s", dev_name);
 
-    if (str_cpy(ifr.ifr_name, len, dev_name) == len) {
-        if (str_len(dev_name, len + 1) > len) {
-            errno = EINTR;
-            return -1;
-        }
+    if (ret <= 0 || (size_t)ret >= sizeof(ifr.ifr_name)) {
+        errno = EINVAL;
+        return -1;
     }
 
     int fd = socket(AF_INET, SOCK_DGRAM, 0);
@@ -26,7 +29,7 @@ iface_set_mtu(const char *dev_name, int mtu)
     if (fd == -1)
         return -1;
 
-    int ret = ioctl(fd, SIOCSIFMTU, &ifr);
+    ret = ioctl(fd, SIOCSIFMTU, &ifr);
 
     int err = errno;
     close(fd);

src/iface.h

@@ -1,3 +1,3 @@
 #pragma once
 
-int iface_set_mtu (const char *, int);
+int iface_set_mtu (const char *, size_t);

src/ip.h

@@ -3,15 +3,29 @@
 #include <stdint.h>
 
 struct ip_common {
-    uint8_t version;
     uint8_t tc;
     uint8_t proto;
-    uint8_t hdr_size;
-    uint16_t size;
+    struct { // data are not reordered
+        union {
+            unsigned char v6[16];
+            struct {
+                unsigned char zero[10];
+                unsigned char ff[2];
+                unsigned char v4[4];
+            };
+        };
+        unsigned char port[2];
+    } src, dst;
 };
 
-_pure_ static inline uint8_t
-ip_get_version(const uint8_t *data, size_t size)
+static inline int
+ip_read16(const uint8_t *src)
+{
+    return ((int)src[1]) | (((int)src[0]) << 8);
+}
+
+static inline uint8_t
+ip_get_version(const uint8_t *data, int size)
 {
     if (size < 20)
         return 0;
@@ -19,63 +33,65 @@ ip_get_version(const uint8_t *data, size_t size)
     return data[0] >> 4;
 }
 
-static inline uint32_t
-ip_read32(const uint8_t *src)
+static inline int
+ip_is_valid(const uint8_t *data, int size)
 {
-    uint32_t ret = src[3];
-    ret |= ((uint32_t)src[2]) << 8;
-    ret |= ((uint32_t)src[1]) << 16;
-    ret |= ((uint32_t)src[0]) << 24;
-    return ret;
-}
-
-static inline uint16_t
-ip_read16(const uint8_t *src)
-{
-    uint16_t ret = src[1];
-    ret |= ((uint16_t)src[0]) << 8;
-    return ret;
-}
-
-static inline size_t
-ip_get_mtu(struct ip_common *ic, const uint8_t *data, size_t size)
-{
-    if (ic->hdr_size <= 0 || ic->hdr_size + 8 > size)
-        return 0;
-
-    const uint8_t *p = &data[ic->hdr_size];
-
-    if (ic->version == 4 && ic->proto == 1 && p[0] == 3)
-        return ip_read16(&p[6]);
-
-    // not tested..
-    // if (ic->version == 6 && ic->proto == 58 && p[0] == 2)
-    //    return ip_read32(&p[4]);
+    switch (ip_get_version(data, size)) {
+        case 4: return size == ip_read16(&data[2]);
+        case 6: return size == ip_read16(&data[4]) + 40;
+    }
 
     return 0;
 }
 
 static inline int
-ip_get_common(struct ip_common *ic, const uint8_t *data, size_t size)
+ip_get_common(struct ip_common *ic, const uint8_t *data, int size)
 {
-    ic->version = ip_get_version(data, size);
-
-    switch (ic->version) {
+    switch (ip_get_version(data, size)) {
     case 4:
         ic->tc = data[1];
         ic->proto = data[9];
-        ic->hdr_size = (data[0] & 0xF) << 2;
-        ic->size = ip_read16(&data[2]);
-        if (ic->size >= 20)
+        if (size == ip_read16(&data[2])) {
+            const int hdrsize = (data[0] & 0xF) << 2;
+            memset(ic->src.zero, 0, sizeof(ic->src.zero));
+            memset(ic->src.ff, 0xff, sizeof(ic->src.ff));
+            memcpy(ic->src.v4, &data[12], sizeof(ic->src.v4));
+            memset(ic->dst.zero, 0, sizeof(ic->dst.zero));
+            memset(ic->dst.ff, 0xff, sizeof(ic->dst.ff));
+            memcpy(ic->dst.v4, &data[16], sizeof(ic->dst.v4));
+            switch (ic->proto) {
+            case 6:  // tcp
+            case 17: // udp
+                memcpy(ic->src.port, &data[hdrsize], sizeof(ic->src.port));
+                memcpy(ic->dst.port, &data[hdrsize + 2], sizeof(ic->dst.port));
+                break;
+            default:
+                memset(ic->src.port, 0, sizeof(ic->src.port));
+                memset(ic->dst.port, 0, sizeof(ic->dst.port));
+            }
             return 0;
+        }
         break;
     case 6:
-        ic->tc = ((data[0] & 0xF) << 4) | (data[1] >> 4);
+        ic->tc = (uint8_t)((data[0] << 4) | (data[1] >> 4));
         ic->proto = data[6];
-        ic->hdr_size = 40;
-        ic->size = ip_read16(&data[4]) + 40;
-        return 0;
+        if (size == ip_read16(&data[4]) + 40) {
+            memcpy(ic->src.v6, &data[8], sizeof(ic->src.v6));
+            memcpy(ic->dst.v6, &data[24], sizeof(ic->dst.v6));
+            switch (ic->proto) {
+            case 6:  // tcp
+            case 17: // udp
+                memcpy(ic->src.port, &data[40], sizeof(ic->src.port));
+                memcpy(ic->dst.port, &data[42], sizeof(ic->dst.port));
+                break;
+            default:
+                memset(ic->src.port, 0, sizeof(ic->src.port));
+                memset(ic->dst.port, 0, sizeof(ic->dst.port));
+            }
+            return 0;
+        }
+        break;
     }
 
-    return -1;
+    return 1;
 }

src/main.c

@@ -1,14 +1,17 @@
 #include "common.h"
 #include "str.h"
 
+#include <sodium.h>
 #include <stdio.h>
 
+#include "../argz/argz.h"
+
 volatile sig_atomic_t gt_alarm;
 volatile sig_atomic_t gt_reload;
 volatile sig_atomic_t gt_quit;
 
 static void
-gt_quit_handler(int sig)
+gt_sa_handler(int sig)
 {
     switch (sig) {
     case SIGALRM:
@@ -30,7 +33,7 @@ gt_set_signal(void)
 
     sigemptyset(&sa.sa_mask);
 
-    sa.sa_handler = gt_quit_handler;
+    sa.sa_handler = gt_sa_handler;
     sigaction(SIGINT, &sa, NULL);
     sigaction(SIGQUIT, &sa, NULL);
     sigaction(SIGTERM, &sa, NULL);
@@ -46,7 +49,19 @@ gt_set_signal(void)
 static int
 gt_version(int argc, char **argv)
 {
-    printf(PACKAGE_VERSION "\n");
+    struct argz version_argz[] = {
+        {"libsodium", NULL, NULL, argz_option},
+        {NULL}};
+
+    if (argz(version_argz, argc, argv))
+        return 1;
+
+    if (argz_is_set(version_argz, "libsodium")) {
+        printf("%s\n", sodium_version_string());
+    } else {
+        printf("%s\n", PACKAGE_VERSION);
+    }
+
     return 0;
 }
 
@@ -60,7 +75,7 @@ main(int argc, char **argv)
         char *help;
         int (*call)(int, char **);
     } cmd[] = {
-        {"show", "show all running tunnels", gt_show},
+        {"show", "show tunnel info", gt_show},
         {"bench", "start a crypto bench", gt_bench},
         {"bind", "start a new tunnel", gt_bind},
         {"set", "change tunnel properties", gt_set},
@@ -69,15 +84,14 @@ main(int argc, char **argv)
         {"version", "show version", gt_version},
         {NULL}};
 
-    if (argc < 2)
-        return gt_show(argc, argv);
-
-    for (int k = 0; cmd[k].name; k++) {
-        if (!str_cmp(cmd[k].name, argv[1]))
-            return cmd[k].call(argc - 1, argv + 1);
+    if (argv[1]) {
+        for (int k = 0; cmd[k].name; k++) {
+            if (!str_cmp(cmd[k].name, argv[1]))
+                return cmd[k].call(argc - 1, argv + 1);
+        }
     }
 
-    printf("unknown command `%s', available commands:\n\n", argv[1]);
+    printf("available commands:\n\n");
 
     int len = 0;
 

src/path.c

@@ -4,11 +4,103 @@
 
 #include <stdio.h>
 #include <sys/socket.h>
+#include <unistd.h>
 
 #include "../argz/argz.h"
 
-int
-gt_path_status(int fd)
+static void
+gt_path_print_status(struct mud_path *path, int term)
+{
+    char bindstr[INET6_ADDRSTRLEN];
+    char publstr[INET6_ADDRSTRLEN];
+    char peerstr[INET6_ADDRSTRLEN];
+
+    gt_toaddr(bindstr, sizeof(bindstr),
+            (struct sockaddr *)&path->local_addr);
+    gt_toaddr(publstr, sizeof(publstr),
+            (struct sockaddr *)&path->r_addr);
+    gt_toaddr(peerstr, sizeof(peerstr),
+            (struct sockaddr *)&path->addr);
+
+    const char *statestr = NULL;
+
+    switch (path->state) {
+        case MUD_UP:     statestr = "UP";     break;
+        case MUD_BACKUP: statestr = "BACKUP"; break;
+        case MUD_DOWN:   statestr = "DOWN";   break;
+        default:         return;
+    }
+
+    printf(term ? "path %s\n"
+            "  status:  %s\n"
+            "  bind:    %s port %"PRIu16"\n"
+            "  public:  %s port %"PRIu16"\n"
+            "  peer:    %s port %"PRIu16"\n"
+            "  mtu:     %zu bytes\n"
+            "  rtt:     %.3f ms\n"
+            "  rttvar:  %.3f ms\n"
+            "  rate:    %s\n"
+            "  beat:    %"PRIu64" ms\n"
+            "  tx:\n"
+            "    rate:  %"PRIu64" bytes/sec\n"
+            "    loss:  %"PRIu64" percent\n"
+            "    total: %"PRIu64" packets\n"
+            "  rx:\n"
+            "    rate:  %"PRIu64" bytes/sec\n"
+            "    loss:  %"PRIu64" percent\n"
+            "    total: %"PRIu64" packets\n"
+            : "path %s %s"
+            " %s %"PRIu16" %s %"PRIu16" %s %"PRIu16
+            " %zu %.3f %.3f"
+            " %s"
+            " %"PRIu64
+            " %"PRIu64" %"PRIu64" %"PRIu64
+            " %"PRIu64" %"PRIu64" %"PRIu64
+            "\n",
+        statestr,
+        path->ok ? "OK" : "DEGRADED",
+        bindstr[0] ? bindstr : "-",
+        gt_get_port((struct sockaddr *)&path->local_addr),
+        publstr[0] ? publstr : "-",
+        gt_get_port((struct sockaddr *)&path->r_addr),
+        peerstr[0] ? peerstr : "-",
+        gt_get_port((struct sockaddr *)&path->addr),
+        path->mtu.ok,
+        (double)path->rtt.val / 1e3,
+        (double)path->rtt.var / 1e3,
+        path->conf.fixed_rate ? "fixed" : "auto",
+        path->conf.beat / 1000,
+        path->tx.rate,
+        path->tx.loss * 100 / 255,
+        path->tx.total,
+        path->rx.rate,
+        path->rx.loss * 100 / 255,
+        path->rx.total);
+}
+
+static int
+gt_path_cmp_addr(struct sockaddr_storage *a, struct sockaddr_storage *b)
+{
+    if (a->ss_family != b->ss_family)
+        return 1;
+
+    if (a->ss_family == AF_INET) {
+        struct sockaddr_in *A = (struct sockaddr_in *)a;
+        struct sockaddr_in *B = (struct sockaddr_in *)b;
+        return ((memcmp(&A->sin_addr, &B->sin_addr, sizeof(A->sin_addr))));
+    }
+
+    if (a->ss_family == AF_INET6) {
+        struct sockaddr_in6 *A = (struct sockaddr_in6 *)a;
+        struct sockaddr_in6 *B = (struct sockaddr_in6 *)b;
+        return ((memcmp(&A->sin6_addr, &B->sin6_addr, sizeof(A->sin6_addr))));
+    }
+
+    return 1;
+}
+
+static int
+gt_path_status(int fd, enum mud_state state, struct sockaddr_storage *addr)
 {
     struct ctl_msg req = {
         .type = CTL_PATH_STATUS,
@@ -17,36 +109,34 @@ gt_path_status(int fd)
     if (send(fd, &req, sizeof(struct ctl_msg), 0) == -1)
         return -1;
 
-    do {
+    struct mud_path path[MUD_PATH_MAX];
+    int count = 0;
+
+    while (1) {
         if (recv(fd, &res, sizeof(struct ctl_msg), 0) == -1)
             return -1;
 
-        char bindstr[INET6_ADDRSTRLEN] = {0};
-        char peerstr[INET6_ADDRSTRLEN] = {0};
-
-        if (gt_toaddr(bindstr, sizeof(bindstr),
-                      (struct sockaddr *)&res.path_status.local_addr) ||
-            gt_toaddr(peerstr, sizeof(peerstr),
-                      (struct sockaddr *)&res.path_status.addr))
-            return -2;
-
-        const char *statestr = NULL;
-
-        switch (res.path_status.state) {
-            case MUD_UP:     statestr = "UP";     break;
-            case MUD_BACKUP: statestr = "BACKUP"; break;
-            case MUD_DOWN:   statestr = "DOWN";   break;
-            default:         return -2;
+        if (res.type != req.type) {
+            errno = EBADMSG;
+            return -1;
         }
 
-        printf("path %s\n"
-               "  bind:  %s\n"
-               "  peer:  %s\n"
-               "  rtt:   %.3f\n",
-               statestr, bindstr, peerstr,
-               res.path_status.rtt/(double)1e3);
+        if (res.ret == EAGAIN) {
+            memcpy(&path[count], &res.path_status, sizeof(struct mud_path));
+            count++;
+        } else if (res.ret) {
+            errno = res.ret;
+            return -1;
+        } else break;
+    }
 
-    } while (res.ret == EAGAIN);
+    int term = isatty(1);
+
+    for (int i = 0; i < count; i++) {
+        if ((state == MUD_EMPTY || path[i].state == state) &&
+            (!addr->ss_family || !gt_path_cmp_addr(addr, &path[i].local_addr)))
+            gt_path_print_status(&path[i], term);
+    }
 
     return 0;
 }
@@ -58,43 +148,75 @@ gt_path(int argc, char **argv)
 
     struct ctl_msg req = {
         .type = CTL_STATE,
+        .path = {
+            .state = MUD_EMPTY,
+        },
     }, res = {0};
 
+    struct argz ratez[] = {
+        {"fixed|auto", NULL, NULL, argz_option},
+        {"tx", "BYTES/SEC", &req.path.rate_tx, argz_bytes},
+        {"rx", "BYTES/SEC", &req.path.rate_rx, argz_bytes},
+        {NULL}};
+
     struct argz pathz[] = {
         {NULL, "IPADDR", &req.path.addr, argz_addr},
         {"dev", "NAME", &dev, argz_str},
         {"up|backup|down", NULL, NULL, argz_option},
+        {"rate", NULL, &ratez, argz_option},
+        {"beat", "SECONDS", &req.path.beat, argz_time},
         {NULL}};
 
     if (argz(pathz, argc, argv))
         return 1;
 
-    int fd = ctl_connect("/run/" PACKAGE_NAME, dev);
+    int fd = ctl_connect(dev);
 
-    if (fd == -1) {
-        perror("path");
-        ctl_delete(fd);
+    if (fd < 0) {
+        switch (fd) {
+        case -1:
+            perror("path");
+            break;
+        case CTL_ERROR_NONE:
+            gt_log("no device\n");
+            break;
+        case CTL_ERROR_MANY:
+            gt_log("please choose a device\n");
+            break;
+        default:
+            gt_log("couldn't connect\n");
+        }
         return 1;
     }
 
-    int ret = 0;
+    int set_rate = argz_is_set(pathz, "rate");
 
-    if (!req.path.addr.ss_family) {
-        ret = gt_path_status(fd);
+    if (set_rate && !req.path.addr.ss_family) {
+        gt_log("please specify a path\n");
+        return 1;
+    }
 
-        if (ret == -2)
-            gt_log("bad reply from server\n");
+    if (argz_is_set(pathz, "up")) {
+        req.path.state = MUD_UP;
+    } else if (argz_is_set(pathz, "backup")) {
+        req.path.state = MUD_BACKUP;
+    } else if (argz_is_set(pathz, "down")) {
+        req.path.state = MUD_DOWN;
+    }
+
+    if (argz_is_set(ratez, "fixed")) {
+        req.path.fixed_rate = 3;
+    } else if (argz_is_set(ratez, "auto")) {
+        req.path.fixed_rate = 1;
+    }
+
+    int ret;
+
+    if (!req.path.addr.ss_family ||
+        (req.path.state == MUD_EMPTY && !set_rate)) {
+        ret = gt_path_status(fd, req.path.state, &req.path.addr);
     } else {
-        if (argz_is_set(pathz, "up")) {
-            req.path.state = MUD_UP;
-        } else if (argz_is_set(pathz, "backup")) {
-            req.path.state = MUD_BACKUP;
-        } else if (argz_is_set(pathz, "down")) {
-            req.path.state = MUD_DOWN;
-        }
-
-        if (req.path.state)
-            ret = ctl_reply(fd, &res, &req);
+        ret = ctl_reply(fd, &res, &req);
     }
 
     if (ret == -1)
@@ -102,5 +224,5 @@ gt_path(int argc, char **argv)
 
     ctl_delete(fd);
 
-    return 0;
+    return !!ret;
 }

src/set.c

@@ -7,80 +7,6 @@
 
 #include "../argz/argz.h"
 
-static int
-gt_set_mtu(int fd, size_t mtu)
-{
-    struct ctl_msg res, req = {
-        .type = CTL_MTU,
-        .mtu = mtu,
-    };
-
-    int ret = ctl_reply(fd, &res, &req);
-
-    if (ret) {
-        perror("set mtu");
-        return 1;
-    }
-
-    printf("mtu set to %i\n", res.mtu);
-
-    return 0;
-}
-
-static int
-gt_set_timeout(int fd, unsigned long timeout)
-{
-    struct ctl_msg res, req = {
-        .type = CTL_TIMEOUT,
-        .timeout = timeout,
-    };
-
-    int ret = ctl_reply(fd, &res, &req);
-
-    if (ret) {
-        perror("set timeout");
-        return 1;
-    }
-
-    return 0;
-}
-
-static int
-gt_set_timetolerance(int fd, unsigned long timetolerance)
-{
-    struct ctl_msg res, req = {
-        .type = CTL_TIMETOLERANCE,
-        .timetolerance = timetolerance,
-    };
-
-    int ret = ctl_reply(fd, &res, &req);
-
-    if (ret) {
-        perror("set timetolerance");
-        return 1;
-    }
-
-    return 0;
-}
-
-static int
-gt_set_tc(int fd, int tc)
-{
-    struct ctl_msg res, req = {
-        .type = CTL_TC,
-        .tc = tc,
-    };
-
-    int ret = ctl_reply(fd, &res, &req);
-
-    if (ret) {
-        perror("set tc");
-        return 1;
-    }
-
-    return 0;
-}
-
 static int
 gt_argz_tc(void *data, int argc, char **argv)
 {
@@ -102,7 +28,7 @@ gt_argz_tc(void *data, int argc, char **argv)
     } else return -1;
 
     if (data)
-        *(int *)data = val;
+        *(int *)data = (val << 1) | 1;
 
     return 1;
 }
@@ -111,44 +37,48 @@ int
 gt_set(int argc, char **argv)
 {
     const char *dev = NULL;
-    size_t mtu;
-    int tc;
-    unsigned long timetolerance;
-    unsigned long timeout;
+
+    struct ctl_msg req = {
+        .type = CTL_CONF,
+    }, res = {0};
 
     struct argz pathz[] = {
         {"dev", "NAME", &dev, argz_str},
-        {"mtu", "BYTES", &mtu, argz_bytes},
-        {"tc", "CS|AF|EF", &tc, gt_argz_tc},
-        {"timeout", "SECONDS", &timeout, argz_time},
-        {"timetolerance", "SECONDS", &timetolerance, argz_time},
+        {"tc", "CS|AF|EF", &req.conf.tc, gt_argz_tc},
+        {"kxtimeout", "SECONDS", &req.conf.kxtimeout, argz_time},
+        {"timetolerance", "SECONDS", &req.conf.timetolerance, argz_time},
+        {"losslimit", "PERCENT", &req.conf.losslimit, argz_percent},
+        {"keepalive", "SECONDS", &req.conf.keepalive, argz_time},
         {NULL}};
 
     if (argz(pathz, argc, argv))
         return 1;
 
-    int fd = ctl_connect("/run/" PACKAGE_NAME, dev);
+    int fd = ctl_connect(dev);
 
-    if (fd == -1) {
-        perror("set");
+    if (fd < 0) {
+        switch (fd) {
+        case -1:
+            perror("set");
+            break;
+        case CTL_ERROR_NONE:
+            gt_log("no device\n");
+            break;
+        case CTL_ERROR_MANY:
+            gt_log("please choose a device\n");
+            break;
+        default:
+            gt_log("couldn't connect\n");
+        }
         return 1;
     }
 
-    int ret = 0;
+    int ret = ctl_reply(fd, &res, &req);
 
-    if (argz_is_set(pathz, "mtu"))
-        ret |= gt_set_mtu(fd, mtu);
-
-    if (argz_is_set(pathz, "tc"))
-        ret |= gt_set_tc(fd, tc);
-
-    if (argz_is_set(pathz, "timeout"))
-        ret |= gt_set_timeout(fd, timeout);
-
-    if (argz_is_set(pathz, "timetolerance"))
-        ret |= gt_set_timetolerance(fd, timetolerance);
+    if (ret)
+        perror("set");
 
     ctl_delete(fd);
 
-    return ret;
+    return !!ret;
 }

src/show.c

@@ -9,77 +9,113 @@
 #include <dirent.h>
 #include <sys/un.h>
 #include <arpa/inet.h>
+#include <unistd.h>
+
+static void
+gt_show_bad_line(int term, char *name, uint64_t count,
+                 struct sockaddr_storage *ss)
+{
+    if (!count)
+        return;
+
+    char addr[INET6_ADDRSTRLEN];
+    gt_toaddr(addr, sizeof(addr), (struct sockaddr *)ss);
+
+    printf(term ? "%s:\n"
+                  "  count: %"PRIu64"\n"
+                  "  last:  %s port %"PRIu16"\n"
+                : "%s"
+                  " %"PRIu64
+                  " %s %"PRIu16
+                  "\n",
+           name, count, addr[0] ? addr : "-",
+           gt_get_port((struct sockaddr *)ss));
+}
 
 static int
-gt_show_dev_status(int fd, const char *dev)
+gt_show_bad(int fd)
+{
+    struct ctl_msg res, req = {.type = CTL_BAD};
+
+    if (ctl_reply(fd, &res, &req))
+        return -1;
+
+    int term = isatty(1);
+
+    gt_show_bad_line(term, "decrypt",
+            res.bad.decrypt.count, &res.bad.decrypt.addr);
+    gt_show_bad_line(term, "difftime",
+            res.bad.difftime.count, &res.bad.difftime.addr);
+    gt_show_bad_line(term, "keyx",
+            res.bad.keyx.count, &res.bad.keyx.addr);
+
+    return 0;
+}
+
+static int
+gt_show_status(int fd)
 {
     struct ctl_msg res, req = {.type = CTL_STATUS};
 
     if (ctl_reply(fd, &res, &req))
         return -1;
 
-    char bindstr[INET6_ADDRSTRLEN] = {0};
-    char peerstr[INET6_ADDRSTRLEN] = {0};
+    char bindstr[INET6_ADDRSTRLEN];
+    char peerstr[INET6_ADDRSTRLEN];
 
-    if (gt_toaddr(bindstr, sizeof(bindstr),
-                  (struct sockaddr *)&res.status.bind))
-        return -2;
+    gt_toaddr(bindstr, sizeof(bindstr),
+              (struct sockaddr *)&res.status.bind);
 
     int server = gt_toaddr(peerstr, sizeof(peerstr),
                            (struct sockaddr *)&res.status.peer);
 
+    int term = isatty(1);
+
     if (server) {
-        printf("server %s:\n"
-               "  bind:      %s port %"PRIu16"\n"
-               "  mtu:       %zu\n"
-               "  auto mtu:  %s\n"
-               "  cipher:    %s\n",
-               dev,
-               bindstr, gt_get_port((struct sockaddr *)&res.status.bind),
+        printf(term ? "server %s:\n"
+                      "  pid:    %li\n"
+                      "  bind:   %s port %"PRIu16"\n"
+                      "  mtu:    %zu\n"
+                      "  cipher: %s\n"
+                    : "server %s"
+                      " %li"
+                      " %s %"PRIu16
+                      " %zu"
+                      " %s"
+                      "\n",
+               res.status.tun_name,
+               res.status.pid,
+               bindstr[0] ? bindstr : "-",
+               gt_get_port((struct sockaddr *)&res.status.bind),
                res.status.mtu,
-               res.status.mtu_auto ? "enabled" : "disabled",
-               res.status.chacha ? "chacha20poly1305" : "aes256gcm");
+               GT_CIPHER(res.status.chacha));
     } else {
-        printf("client %s:\n"
-               "  bind:      %s port %"PRIu16"\n"
-               "  peer:      %s port %"PRIu16"\n"
-               "  mtu:       %zu\n"
-               "  auto mtu:  %s\n"
-               "  cipher:    %s\n",
-               dev,
-               bindstr, gt_get_port((struct sockaddr *)&res.status.bind),
-               peerstr, gt_get_port((struct sockaddr *)&res.status.peer),
+        printf(term ? "client %s:\n"
+                      "  pid:    %li\n"
+                      "  bind:   %s port %"PRIu16"\n"
+                      "  peer:   %s port %"PRIu16"\n"
+                      "  mtu:    %zu\n"
+                      "  cipher: %s\n"
+                    : "client %s"
+                      " %li"
+                      " %s %"PRIu16
+                      " %s %"PRIu16
+                      " %zu"
+                      " %s"
+                      "\n",
+               res.status.tun_name,
+               res.status.pid,
+               bindstr[0] ? bindstr : "-",
+               gt_get_port((struct sockaddr *)&res.status.bind),
+               peerstr[0] ? peerstr : "-",
+               gt_get_port((struct sockaddr *)&res.status.peer),
                res.status.mtu,
-               res.status.mtu_auto ? "enabled" : "disabled",
-               res.status.chacha ? "chacha20poly1305" : "aes256gcm");
+               GT_CIPHER(res.status.chacha));
     }
 
     return 0;
 }
 
-static int
-gt_show_dev(const char *dev)
-{
-    int fd = ctl_connect("/run/" PACKAGE_NAME, dev);
-
-    if (fd == -1) {
-        perror(dev);
-        return -1;
-    }
-
-    int ret = gt_show_dev_status(fd, dev);
-
-    if (ret == -1)
-        perror(dev);
-
-    if (ret == -2)
-        gt_log("%s: bad reply from server\n", dev);
-
-    ctl_delete(fd);
-
-    return ret;
-}
-
 int
 gt_show(int argc, char **argv)
 {
@@ -87,33 +123,39 @@ gt_show(int argc, char **argv)
 
     struct argz showz[] = {
         {"dev", "NAME", &dev, argz_str},
+        {"bad", NULL, NULL, argz_option},
         {NULL}};
 
     if (argz(showz, argc, argv))
         return 1;
 
-    if (dev) {
-        gt_show_dev(dev);
-        return 0;
-    }
+    int fd = ctl_connect(dev);
 
-    DIR *dp = opendir("/run/" PACKAGE_NAME);
-
-    if (!dp) {
-        if (errno == ENOENT)
-            return 0;
-        perror("show");
+    if (fd < 0) {
+        switch (fd) {
+        case -1:
+            perror("show");
+            break;
+        case CTL_ERROR_NONE:
+            gt_log("no device\n");
+            break;
+        case CTL_ERROR_MANY:
+            gt_log("please choose a device\n");
+            break;
+        default:
+            gt_log("couldn't connect\n");
+        }
         return 1;
     }
 
-    struct dirent *d = NULL;
+    int ret = argz_is_set(showz, "bad")
+            ? gt_show_bad(fd)
+            : gt_show_status(fd);
 
-    while (d = readdir(dp), d) {
-        if (d->d_name[0] != '.')
-            gt_show_dev(d->d_name);
-    }
+    if (ret == -1)
+        perror("show");
 
-    closedir(dp);
+    ctl_delete(fd);
 
-    return 0;
+    return !!ret;
 }

src/str.h

@@ -31,32 +31,3 @@ str_len(const char *restrict str, size_t len)
 
     return strnlen(str, len);
 }
-
-static inline size_t
-str_cat(char *dst, size_t dst_len, const char **src, size_t count)
-{
-    if (count && !src)
-        return 0;
-
-    size_t len = 0;
-
-    for (size_t i = 0; i < count && dst_len > len; i++) {
-        size_t n = str_len(src[i], dst_len - len);
-
-        if (dst && n)
-            memmove(&dst[len], src[i], n);
-
-        len += n;
-    }
-
-    if (dst)
-        dst[len] = 0;
-
-    return len;
-}
-
-static inline size_t
-str_cpy(char *dst, size_t dst_len, const char *src)
-{
-    return str_cat(dst, dst_len, &src, 1);
-}

src/tun.c

@@ -32,9 +32,9 @@
 static int
 tun_create_by_id(char *name, size_t len, unsigned id)
 {
-    int ret = snprintf(name, len + 1, "utun%u", id);
+    int ret = snprintf(name, len, "utun%u", id);
 
-    if (ret <= 0 || ret > len) {
+    if (ret <= 0 || (size_t)ret >= len) {
         errno = EINVAL;
         return -1;
     }
@@ -44,8 +44,9 @@ tun_create_by_id(char *name, size_t len, unsigned id)
     if (fd == -1)
         return -1;
 
-    struct ctl_info ci = {0};
-    str_cpy(ci.ctl_name, sizeof(ci.ctl_name) - 1, UTUN_CONTROL_NAME);
+    struct ctl_info ci = {
+        .ctl_name = UTUN_CONTROL_NAME,
+    };
 
     if (ioctl(fd, CTLIOCGINFO, &ci)) {
         int err = errno;
@@ -92,14 +93,20 @@ tun_create_by_name(char *name, size_t len, const char *dev_name)
 static int
 tun_create_by_name(char *name, size_t len, const char *dev_name)
 {
+    int ret = snprintf(name, len, "%s", dev_name);
+
+    if (ret <= 0 || (size_t)ret >= len) {
+        errno = EINVAL;
+        return -1;
+    }
+
     struct ifreq ifr = {
         .ifr_flags = IFF_TUN | IFF_NO_PI,
     };
 
-    const size_t ifr_len = sizeof(ifr.ifr_name) - 1;
+    ret = snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s", dev_name);
 
-    if ((len < ifr_len) ||
-        (str_len(dev_name, ifr_len + 1) > ifr_len)) {
+    if (ret <= 0 || (size_t)ret >= sizeof(ifr.ifr_name)) {
         errno = EINVAL;
         return -1;
     }
@@ -109,8 +116,6 @@ tun_create_by_name(char *name, size_t len, const char *dev_name)
     if (fd == -1)
         return -1;
 
-    str_cpy(ifr.ifr_name, ifr_len, dev_name);
-
     if (ioctl(fd, TUNSETIFF, &ifr)) {
         int err = errno;
         close(fd);
@@ -118,8 +123,6 @@ tun_create_by_name(char *name, size_t len, const char *dev_name)
         return -1;
     }
 
-    str_cpy(name, len, ifr.ifr_name);
-
     return fd;
 }
 
@@ -128,22 +131,13 @@ tun_create_by_name(char *name, size_t len, const char *dev_name)
 static int
 tun_create_by_name(char *name, size_t len, const char *dev_name)
 {
-    char tmp[128];
+    int ret = snprintf(name, len, "/dev/%s", dev_name);
 
-    int ret = snprintf(tmp, sizeof(tmp), "/dev/%s", dev_name);
-
-    if (ret <= 0 || ret >= sizeof(tmp)) {
+    if (ret <= 0 || (size_t)ret >= len) {
         errno = EINVAL;
         return -1;
     }
 
-    if (str_cpy(name, len, dev_name) == len) {
-        if (str_len(dev_name, len + 1) > len) {
-            errno = EINVAL;
-            return -1;
-        }
-    }
-
     return open(tmp, O_RDWR);
 }
 
@@ -153,10 +147,9 @@ static int
 tun_create_by_id(char *name, size_t len, unsigned id)
 {
     char tmp[64];
-
     int ret = snprintf(tmp, sizeof(tmp), "tun%u", id);
 
-    if (ret <= 0 || ret >= sizeof(tmp)) {
+    if (ret <= 0 || (size_t)ret >= sizeof(tmp)) {
         errno = EINVAL;
         return -1;
     }
@@ -201,17 +194,17 @@ tun_read(int fd, void *data, size_t size)
         },
     };
 
-    ssize_t ret = readv(fd, iov, 2);
+    int ret = (int)readv(fd, iov, 2);
 
-    if (ret <= (ssize_t)0)
+    if (ret <= 0)
         return ret;
 
-    if (ret <= (ssize_t)sizeof(family))
+    if ((size_t)ret <= sizeof(family))
         return 0;
 
-    return ret - sizeof(family);
+    return ret - (int)sizeof(family);
 #else
-    return read(fd, data, size);
+    return (int)read(fd, data, size);
 #endif
 }
 
@@ -224,7 +217,7 @@ tun_write(int fd, const void *data, size_t size)
 #ifdef GT_BSD_TUN
     uint32_t family;
 
-    switch (ip_get_version(data, size)) {
+    switch (ip_get_version(data, (int)size)) {
     case 4:
         family = htonl(AF_INET);
         break;
@@ -247,17 +240,17 @@ tun_write(int fd, const void *data, size_t size)
         },
     };
 
-    ssize_t ret = writev(fd, iov, 2);
+    int ret = (int)writev(fd, iov, 2);
 
-    if (ret <= (ssize_t)0)
+    if (ret <= 0)
         return ret;
 
-    if (ret <= (ssize_t)sizeof(family))
+    if ((size_t)ret <= sizeof(family))
         return 0;
 
-    return ret - sizeof(family);
+    return ret - (int)sizeof(family);
 #else
-    return write(fd, data, size);
+    return (int)write(fd, data, size);
 #endif
 }
 

systemd/glorytun-setup

@@ -45,7 +45,7 @@ HOST=$HOST
 PORT=$PORT
 BIND=$BIND
 BIND_PORT=$BIND_PORT
-OPTIONS="mtu auto"
+OPTIONS=
 EOF
 
 ( umask 077; echo "$KEY" > "$DIR/key" )
@@ -59,7 +59,9 @@ TABLE=200
 # keep the current route to HOST
 SRC=$(ip route get "$HOST" | awk '/src/{getline;print $0}' RS=' ')
 ip rule add from "$SRC" table main pref "$((PREF-1))" || true
-glorytun path up "$SRC" dev "$DEV"
+
+# limit to 100Mbit by default
+glorytun path up "$SRC" dev "$DEV" rate rx 12500000 tx 12500000
 
 # forward everything else to the tunnel
 ip rule add from all table "$TABLE" pref "$PREF" || true

systemd/glorytun@.service.in

@@ -8,7 +8,7 @@ Restart=always
 EnvironmentFile=/etc/glorytun/%i/env
 ExecStart=@bindir@/glorytun-run keyfile /etc/glorytun/%i/key $OPTIONS
 ExecStartPost=-/etc/glorytun/%i/post.sh
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+CapabilityBoundingSet=CAP_NET_ADMIN
 
 [Install]
 WantedBy=multi-user.target

version.sh

@@ -1,13 +1,15 @@
 #!/bin/sh
 
-[ -z "${VERSION}" ] && VERSION=`git describe --tags --match='v[0-9].*' 2>/dev/null` \
-                    && VERSION=${VERSION#v}
+export GIT_DIR=.git
+export GIT_WORK_TREE=.
 
-[ -z "${VERSION}" ] && VERSION=`cat VERSION 2>/dev/null`
+[ -z "$VERSION" ] && VERSION="$(git describe --tags --match='v[0-9].*' 2>/dev/null)" \
+                  && VERSION="${VERSION#v}"
 
-[ -z "${VERSION}" ] && VERSION=0.0.0
+[ -z "$VERSION" ] && VERSION="$(git rev-parse HEAD 2>/dev/null)"
 
-[ "$1" = "major"  ] && printf ${VERSION%%.*} \
-                    && exit 0
+[ -z "$VERSION" ] && VERSION="$(cat VERSION 2>/dev/null)"
 
-printf ${VERSION} | tee VERSION
+[ -z "$VERSION" ] && VERSION="0.0.0"
+
+printf "%s" "$VERSION" | tee VERSION