Update README.md

Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>

.gitmodules

@@ -1,6 +1,8 @@
 [submodule "mud"]
 	path = mud
 	url = https://github.com/angt/mud.git
+	ignore = dirty
 [submodule "argz"]
 	path = argz
 	url = https://github.com/angt/argz.git
+	ignore = dirty

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2015-2016, angt
+Copyright (c) 2015-2019, angt
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

Makefile.am

@@ -24,6 +24,7 @@ glorytun_SOURCES = \
     src/set.c \
     src/show.c \
     src/str.h \
+    src/sync.c \
     src/tun.c \
     src/tun.h
 

README.md

@@ -1,54 +1,131 @@
 # Glorytun
 
-Small, Simple and Stupid VPN over [mud](https://github.com/angt/mud).
+Glorytun is a small, simple and secure VPN over [mud](https://github.com/angt/mud).
 
-### Build and Install
+## Compatibility
 
-Glorytun depends on [libsodium](https://github.com/jedisct1/libsodium) version >= 1.0.4.
+Glorytun only depends on [libsodium](https://github.com/jedisct1/libsodium) version >= 1.0.4.
+Which can be installed on a wide variety of systems.
+Linux is the platform of choice but the code is standard so it should be easily ported on other posix systems.
+It was successfully tested on OpenBSD, FreeBSD and MacOS.
 
-On Ubuntu, the following command should be sufficient:
+## Features
+
+The key features of Glorytun come directly from mud:
+
+ * **Fast and highly secure**
+
+   The use of UDP and [libsodium](https://github.com/jedisct1/libsodium) allows you to secure
+   your communications without impacting performance.
+   Glorytun uses AES only if AES-NI is available otherwise ChaCha20 is used.
+   You can force the use of ChaCha20 for higher security.
+   All messages are encrypted, authenticated and marked with a timestamp.
+   Perfect forward secrecy is also implemented with ECDH over Curve25519.
+
+ * **Multipath and active failover**
+
+   This is the main feature of Glorytun that allows to build an SD-WAN like service.
+   This allows a TCP connection to explore and exploit multiple links without being disconnected.
+
+ * **Traffic shaping**
+
+   Shaping is very important in network, it allows to keep a low latency without sacrificing the bandwidth.
+   It also helps the multipath scheduler to make better decisions.
+   Currently it must be configured by hand, but soon Glorytun will do it for you.
+
+ * **Path MTU discovery without ICMP**
+
+   Bad MTU configuration is a very common problem in the world of VPN.
+   As it is critical, Glorytun will try to setup it correctly by guessing its value.
+   It doesn't rely on ICMP Next-hop MTU to avoid black holes.
+   In asymmetric situations the minimum MTU is selected.
+
+## Caveats
+
+Glorytun is strongly secure by default and protects against replay attacks,
+the clock between the client and the server must be synchronized.
+By default, an offset of 10min is accepted.
+
+## Build and Install
+
+We recommend the use of [meson](http://mesonbuild.com) for building instead of
+the more classical autotools suite (also available for old systems).
+
+On Ubuntu, the following command should be sufficient to get all the necessary build dependencies:
 
     $ sudo apt-get install meson libsodium-dev pkg-config
 
-Grab the latest release from github:
+To build and install the latest release from github:
 
     $ git clone https://github.com/angt/glorytun --recursive
-    $ cd glorytun
+    $ meson glorytun glorytun/build
+    $ sudo ninja -C glorytun/build install
 
-To build and install the latest version with [meson](http://mesonbuild.com):
+This will install all binaries in `/usr/local/bin` by default.
 
-    $ meson build
-    $ sudo ninja -C build install
+You can easily customize your setup with meson (see `meson help`).
 
-The more classical autotools suite is also available.
+## Usage
 
-### Easy setup with systemd
+Just run `glorytun` with no arguments to view the list of available commands:
 
-Just call `glorytun-setup` and follow the instructions.
+```
+$ glorytun
+available commands:
 
-First, setup the server:
+  show     show all running tunnels
+  bench    start a crypto bench
+  bind     start a new tunnel
+  set      change tunnel properties
+  sync     re-sync tunnels
+  keygen   generate a new secret key
+  path     manage paths
+  version  show version
 
-    $ sudo glorytun-setup
-    Config filename (tun0):
-    Server ip (enter for server conf):
-    Bind to port (5000):
-    Server key (enter to generate a new one):
-    Your new key: NEW_KEY
-    Start glorytun now ? (enter to skip): y
+```
 
-Copy the new generated key and use it when configuring the client:
+Use the keyword `help` after a command to show its usage.
 
-    $ sudo glorytun-setup
-    Config filename (tun0):
-    Server ip (enter for server conf): SERVER_IP
-    Server port (5000):
-    Server key (enter to generate a new one): NEW_KEY
-    Start glorytun now ? (enter to skip): y
+## Mini HowTo
 
-You can check easily if it works by looking at your public ip.
-To stop the service:
+Glorytun does not touch the configuration of its network interface (except for the MTU),
+It is up to the user to do it according to the tools available
+on his system (systemd-networkd, netifd, ...).
+This also allows a wide variety of configurations.
 
-    $ sudo systemctl stop glorytun@tun0
+To start a server:
+
+    # (umask 066; glorytun keygen > my_secret_key)
+    # glorytun bind 0.0.0.0 keyfile my_secret_key &
+
+You should now have an unconfigured network interface (let's say `tun0`).
+For example, the simplest setup with `ifconfig`:
+
+    # ifconfig tun0 10.0.1.1 pointopoint 10.0.1.2 up
+
+To check if the server is running, simply call `glorytun show`.
+It will show you all of the running tunnels.
+
+To start a new client, you need to get the secret key generated for the server.
+Then simply call:
+
+    # glorytun bind 0.0.0.0 to SERVER_IP keyfile my_secret_key &
+    # ifconfig tun0 10.0.1.2 pointopoint 10.0.1.1 up
+
+Now you have to setup your path, let's say you have an ADSL link that can do 1Mbit upload and 20Mbit download then call:
+
+    # glorytun path up LOCAL_IPADDR rate tx 1mbit rx 20mbit
+
+Again, to check if your path is working, you can watch its status with `glorytun path`.
+You should now be able to ping your server with `ping 10.0.1.1`.
+
+If you use systemd-networkd, you can easily setup your tunnels with the helper program `glorytun-setup`.
+
+## Thanks
+
+ * @jedisct1 for all his help and the code for MacOS/BSD.
+ * The team OTB (@bessa, @gregdel, @pouulet, @sduponch and @simon) for all tests and discussions.
+ * OVH to support this soft :)
 
 ---
 

configure.ac

@@ -4,7 +4,6 @@ AC_INIT([glorytun],
         [https://github.com/angt/glorytun/issues],
         [glorytun],
         [https://github.com/angt/glorytun])
-AC_DEFINE_UNQUOTED([VERSION_MAJOR], [m4_esyscmd([./version.sh major])])
 AC_CONFIG_SRCDIR([src/common.h])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_MACRO_DIR([m4])

meson.build

@@ -33,6 +33,7 @@ executable('glorytun', install: true,
     'src/path.c',
     'src/set.c',
     'src/show.c',
+    'src/sync.c',
     'src/tun.c',
   ],
   dependencies: [

src/bench.c

@@ -105,7 +105,7 @@ gt_bench(int argc, char **argv)
         double mbps_max = 0.0;
         double mbps_dlt = INFINITY;
 
-        while (!gt_quit && mbps_dlt > ldexp(mbps, -precision)) {
+        while (!gt_quit && mbps_dlt > ldexp(mbps, -(int)precision)) {
             crypto_aead_aes256gcm_state ctx;
 
             if (!chacha)

src/bind.c

@@ -12,6 +12,8 @@
 #include "../argz/argz.h"
 #include "../mud/mud.h"
 
+#include <sodium.h>
+
 #ifndef O_CLOEXEC
 #define O_CLOEXEC 0
 #endif
@@ -86,21 +88,16 @@ gt_setup_secretkey(struct mud *mud, const char *keyfile)
 }
 
 static size_t
-gt_setup_mtu(struct mud *mud, const char *tun_name)
+gt_setup_mtu(struct mud *mud, size_t old, const char *tun_name)
 {
-    static size_t oldmtu = 0;
     size_t mtu = mud_get_mtu(mud);
 
-    if (mtu == oldmtu)
+    if (mtu == old)
         return mtu;
 
-    gt_log("setup MTU to %zu on interface %s\n", mtu, tun_name);
-
     if (iface_set_mtu(tun_name, mtu) == -1)
         perror("tun_set_mtu");
 
-    oldmtu = mtu;
-
     return mtu;
 }
 
@@ -113,8 +110,6 @@ gt_bind(int argc, char **argv)
     unsigned short peer_port = bind_port;
     const char *dev = NULL;
     const char *keyfile = NULL;
-    size_t bufsize = 64 * 1024 * 1024;
-    size_t mtu = 1330;
 
     struct argz toz[] = {
         {NULL, "IPADDR", &peer_addr, argz_addr},
@@ -126,61 +121,58 @@ gt_bind(int argc, char **argv)
         {NULL, "PORT", &bind_port, argz_ushort},
         {"to", NULL, &toz, argz_option},
         {"dev", "NAME", &dev, argz_str},
-        {"mtu", "BYTES", &mtu, argz_bytes},
         {"keyfile", "FILE", &keyfile, argz_str},
         {"chacha", NULL, NULL, argz_option},
         {"persist", NULL, NULL, argz_option},
-        {"bufsize", "BYTES", &bufsize, argz_bytes},
         {NULL}};
 
     if (argz(bindz, argc, argv))
         return 1;
 
-    gt_set_port((struct sockaddr *)&bind_addr, bind_port);
-    gt_set_port((struct sockaddr *)&peer_addr, peer_port);
-
-    unsigned char *buf = malloc(bufsize);
-
-    if (!buf) {
-        perror("malloc");
+    if (str_empty(keyfile)) {
+        gt_log("a keyfile is needed!\n");
         return 1;
     }
 
+    gt_set_port((struct sockaddr *)&bind_addr, bind_port);
+    gt_set_port((struct sockaddr *)&peer_addr, peer_port);
+
     int chacha = argz_is_set(bindz, "chacha");
     int persist = argz_is_set(bindz, "persist");
 
-    struct mud *mud = mud_create((struct sockaddr *)&bind_addr);
+    if (sodium_init() == -1) {
+        gt_log("couldn't init sodium\n");
+        return 1;
+    }
 
-    if (!mud) {
+    unsigned char hashkey[crypto_shorthash_KEYBYTES];
+    randombytes_buf(hashkey, sizeof(hashkey));
+
+    struct mud *mud = mud_create((struct sockaddr *)&bind_addr);
+    const int mud_fd = mud_get_fd(mud);
+
+    if (mud_fd == -1) {
         gt_log("couldn't create mud\n");
         return 1;
     }
 
-    if (str_empty(keyfile)) {
-        if (mud_set_key(mud, NULL, 0)) {
-            gt_log("couldn't generate a new key\n");
-            return 1;
-        }
-    } else {
     if (gt_setup_secretkey(mud, keyfile))
         return 1;
-    }
 
     if (!chacha && mud_set_aes(mud)) {
-        gt_log("AES is not available\n");
+        gt_log("AES is not available, enjoy ChaCha20!\n");
         chacha = 1;
     }
 
     char tun_name[64];
-    int tun_fd = tun_create(tun_name, sizeof(tun_name) - 1, dev);
+    const int tun_fd = tun_create(tun_name, sizeof(tun_name) - 1, dev);
 
     if (tun_fd == -1) {
         gt_log("couldn't create tun device\n");
         return 1;
     }
 
-    mud_set_mtu(mud, mtu);
-    mtu = gt_setup_mtu(mud, tun_name);
+    size_t mtu = gt_setup_mtu(mud, 0, tun_name);
 
     if (tun_set_persist(tun_fd, persist) == -1)
         perror("tun_set_persist");
@@ -192,39 +184,56 @@ gt_bind(int argc, char **argv)
         }
     }
 
-    int ctl_fd = ctl_create("/run/" PACKAGE_NAME, tun_name);
+    const int ctl_fd = ctl_create(GT_RUNDIR, tun_name);
 
     if (ctl_fd == -1) {
         perror("ctl_create");
         return 1;
     }
 
-    int mud_fd = mud_get_fd(mud);
-
     fd_set_nonblock(tun_fd);
     fd_set_nonblock(mud_fd);
     fd_set_nonblock(ctl_fd);
 
-    gt_log("running...\n");
+    const long pid = (long)getpid();
+
+    gt_log("running on device %s as pid %li\n", tun_name, pid);
 
     fd_set rfds;
     FD_ZERO(&rfds);
 
-    int last_fd = 1 + MAX(tun_fd, MAX(mud_fd, ctl_fd));
+    const int last_fd = 1 + MAX(tun_fd, MAX(mud_fd, ctl_fd));
+
+    unsigned char buf[4096];
 
     while (!gt_quit) {
+        unsigned long send_wait = mud_send_wait(mud);
+
+        if (send_wait) {
+            FD_CLR(tun_fd, &rfds);
+        } else {
             FD_SET(tun_fd, &rfds);
+        }
+
         FD_SET(mud_fd, &rfds);
         FD_SET(ctl_fd, &rfds);
 
-        if (select(last_fd, &rfds, NULL, NULL, NULL) == -1) {
-            if (errno != EBADF)
-                continue;
+        struct timeval tv = {
+            .tv_sec  = 0,
+            .tv_usec = send_wait,
+        };
+
+        const int ret = select(last_fd, &rfds, NULL, NULL, send_wait ? &tv : NULL);
+
+        if (ret == -1) {
+            if (errno == EBADF) {
                 perror("select");
-            return 1;
+                break;
+            }
+            continue;
         }
 
-        mtu = gt_setup_mtu(mud, tun_name);
+        mtu = gt_setup_mtu(mud, mtu, tun_name);
 
         if (FD_ISSET(ctl_fd, &rfds)) {
             struct ctl_msg req, res = {.reply = 1};
@@ -241,7 +250,8 @@ gt_bind(int argc, char **argv)
                 case CTL_NONE:
                     break;
                 case CTL_STATE:
-                    if (mud_set_state(mud, (struct sockaddr *)&req.path.addr, req.path.state))
+                    if (mud_set_state(mud, (struct sockaddr *)&req.path.addr,
+                                      req.path.state, req.path.rate_tx, req.path.rate_rx))
                         res.ret = errno;
                     break;
                 case CTL_PATH_STATUS:
@@ -263,32 +273,36 @@ gt_bind(int argc, char **argv)
                                 perror("sendto(ctl)");
                         }
 
+                        free(paths);
                         res.ret = 0;
                     }
                     break;
                 case CTL_MTU:
-                    mud_set_mtu(mud, (size_t)req.mtu);
-                    mtu = gt_setup_mtu(mud, tun_name);
-                    res.mtu = mtu;
+                    mud_set_mtu(mud, req.mtu);
+                    res.mtu = mtu = gt_setup_mtu(mud, mtu, tun_name);
                     break;
                 case CTL_TC:
                     if (mud_set_tc(mud, req.tc))
                         res.ret = errno;
                     break;
-                case CTL_TIMEOUT:
-                    if (mud_set_send_timeout(mud, req.timeout))
+                case CTL_KXTIMEOUT:
+                    if (mud_set_keyx_timeout(mud, req.ms))
                         res.ret = errno;
                     break;
                 case CTL_TIMETOLERANCE:
-                    if (mud_set_time_tolerance(mud, req.timetolerance))
+                    if (mud_set_time_tolerance(mud, req.ms))
                         res.ret = errno;
                     break;
                 case CTL_STATUS:
+                    res.status.pid = pid;
                     res.status.mtu = mtu;
                     res.status.chacha = chacha;
                     res.status.bind = bind_addr;
                     res.status.peer = peer_addr;
                     break;
+                case CTL_SYNC:
+                    res.ms = mud_sync(mud);
+                    break;
                 }
                 if (sendto(ctl_fd, &res, sizeof(res), 0,
                            (const struct sockaddr *)&ss, sl) == -1)
@@ -298,89 +312,26 @@ gt_bind(int argc, char **argv)
             }
         }
 
-        if (FD_ISSET(tun_fd, &rfds)) {
-            size_t size = 0;
-
-            while (bufsize - size >= mtu) {
-                const int r = tun_read(tun_fd, &buf[size], bufsize - size);
-
-                if (r <= 0 || r > mtu)
-                    break;
-
-                struct ip_common ic;
-
-                if (ip_get_common(&ic, &buf[size], r) || ic.size != r)
-                    break;
-
-                size += r;
-            }
-
-            size_t p = 0;
-
-            while (p < size) {
-                size_t q = p;
-                int tc = 0;
-
-                while (q < size) {
-                    struct ip_common ic;
-
-                    if ((ip_get_common(&ic, &buf[q], size - q)) ||
-                        (ic.size > size - q))
-                        break;
-
-                    if (q + ic.size > p + mtu)
-                        break;
-
-                    q += ic.size;
-
-                    if (tc < (ic.tc & 0xFC))
-                        tc = ic.tc & 0xFC;
-                }
-
-                if (p >= q)
-                    break;
-
-                int r = mud_send(mud, &buf[p], q - p, tc);
-
-                if (r == -1) {
-                    if (errno == EMSGSIZE) {
-                        mtu = gt_setup_mtu(mud, tun_name);
-                    } else if (errno != EAGAIN) {
-                        perror("mud_send");
-                    }
-                }
-
-                p = q;
-            }
-        }
-
         if (FD_ISSET(mud_fd, &rfds)) {
-            size_t size = 0;
+            const int r = mud_recv(mud, buf, sizeof(buf));
 
-            while (bufsize - size >= mtu) {
-                const int r = mud_recv(mud, &buf[size], bufsize - size);
-
-                if (r <= 0) {
-                    if (r == -1 && errno != EAGAIN)
-                        perror("mud_recv");
-                    break;
+            if (ip_is_valid(buf, r))
+                tun_write(tun_fd, buf, r);
         }
 
-                size += r;
-            }
-
-            size_t p = 0;
-
-            while (p < size) {
+        if (FD_ISSET(tun_fd, &rfds) && !mud_send_wait(mud)) {
             struct ip_common ic;
+            const int r = tun_read(tun_fd, buf, sizeof(buf));
 
-                if ((ip_get_common(&ic, &buf[p], size - p)) ||
-                    (ic.size > size - p))
-                    break;
+            if (!ip_get_common(&ic, buf, r)) {
+             // TODO: disable hash for now
+             // unsigned char hash[crypto_shorthash_BYTES];
+             // crypto_shorthash(hash, (const unsigned char *)&ic, sizeof(ic), hashkey);
 
-                tun_write(tun_fd, &buf[p], ic.size);
+                unsigned h = 0;
+             // memcpy(&h, hash, sizeof(h));
 
-                p += ic.size;
+                mud_send(mud, buf, r, (h << 8) | ic.tc);
             }
         }
     }
@@ -390,6 +341,7 @@ gt_bind(int argc, char **argv)
             perror("tun_set_persist");
     }
 
+    mud_delete(mud);
     ctl_delete(ctl_fd);
 
     return 0;

src/common.c

@@ -99,6 +99,9 @@ gt_get_port(struct sockaddr *sa)
 int
 gt_toaddr(char *str, size_t size, struct sockaddr *sa)
 {
+    if (str)
+        str[0] = 0;
+
     switch (sa->sa_family) {
     case AF_INET:
         return -!inet_ntop(AF_INET,

src/common.h

@@ -21,6 +21,10 @@
 #define PACKAGE_VERSION "0.0.0"
 #endif
 
+#ifndef GT_RUNDIR
+#define GT_RUNDIR "/run/" PACKAGE_NAME
+#endif
+
 #define COUNT(x)       (sizeof(x)/sizeof(x[0]))
 
 #define ALIGN_SIZE     (1<<4)
@@ -70,3 +74,4 @@ int gt_path   (int, char **);
 int gt_keygen (int, char **);
 int gt_bench  (int, char **);
 int gt_set    (int, char **);
+int gt_sync   (int, char **);

src/ctl.c

@@ -94,7 +94,7 @@ ctl_delete(int fd)
     if (fd == -1)
         return;
 
-    struct sockaddr_storage ss;
+    struct sockaddr_storage ss = { 0 };
     socklen_t sslen = sizeof(ss);
 
     if ((getsockname(fd, (struct sockaddr *)&ss, &sslen) == 0) &&
@@ -133,13 +133,15 @@ ctl_create(const char *dir, const char *file)
 int
 ctl_connect(const char *dir, const char *file)
 {
+    DIR *dp = NULL;
+
     if (str_empty(dir)) {
         errno = EINVAL;
         return -1;
     }
 
     if (!file) {
-        DIR *dp = opendir(dir);
+        dp = opendir(dir);
 
         if (!dp)
             return -1;
@@ -152,19 +154,28 @@ ctl_connect(const char *dir, const char *file)
 
             if (file) {
                 closedir(dp);
-                errno = ENOENT;
-                return -1;
+                return -3;
             }
 
             file = &d->d_name[0];
         }
 
+        if (!file) {
             closedir(dp);
+            return -2;
+        }
     }
 
     struct sockaddr_un sun;
+    const int ret = ctl_setsun(&sun, dir, file);
 
-    if (ctl_setsun(&sun, dir, file))
+    if (dp) {
+        int err = errno;
+        closedir(dp);
+        errno = err;
+    }
+
+    if (ret)
         return -1;
 
     int fd = ctl_create(dir, NULL);

src/ctl.h

@@ -10,9 +10,10 @@ enum ctl_type {
     CTL_STATUS,
     CTL_MTU,
     CTL_TC,
-    CTL_TIMEOUT,
+    CTL_KXTIMEOUT,
     CTL_TIMETOLERANCE,
     CTL_PATH_STATUS,
+    CTL_SYNC,
 };
 
 struct ctl_msg {
@@ -22,18 +23,20 @@ struct ctl_msg {
         struct {
             struct sockaddr_storage addr;
             enum mud_state state;
+            unsigned long rate_tx;
+            unsigned long rate_rx;
         } path;
         struct mud_path path_status;
         struct {
+            long pid;
             size_t mtu;
             int chacha;
             struct sockaddr_storage bind;
             struct sockaddr_storage peer;
         } status;
-        int mtu;
+        size_t mtu;
         int tc;
-        unsigned long timeout;
-        unsigned long timetolerance;
+        unsigned long ms;
     };
 };
 

src/ip.h

@@ -3,15 +3,31 @@
 #include <stdint.h>
 
 struct ip_common {
-    uint8_t version;
     uint8_t tc;
     uint8_t proto;
-    uint8_t hdr_size;
-    uint16_t size;
+    struct { // data are not reordered
+        union {
+            unsigned char v6[16];
+            struct {
+                unsigned char zero[10];
+                unsigned char ff[2];
+                unsigned char v4[4];
+            };
+        };
+        unsigned char port[2];
+    } src, dst;
 };
 
-_pure_ static inline uint8_t
-ip_get_version(const uint8_t *data, size_t size)
+static inline int
+ip_read16(const uint8_t *src)
+{
+    uint16_t ret = src[1];
+    ret |= ((uint16_t)src[0]) << 8;
+    return (int)ret;
+}
+
+static inline uint8_t
+ip_get_version(const uint8_t *data, int size)
 {
     if (size < 20)
         return 0;
@@ -19,63 +35,65 @@ ip_get_version(const uint8_t *data, size_t size)
     return data[0] >> 4;
 }
 
-static inline uint32_t
-ip_read32(const uint8_t *src)
+static inline int
+ip_is_valid(const uint8_t *data, int size)
 {
-    uint32_t ret = src[3];
-    ret |= ((uint32_t)src[2]) << 8;
-    ret |= ((uint32_t)src[1]) << 16;
-    ret |= ((uint32_t)src[0]) << 24;
-    return ret;
+    switch (ip_get_version(data, size)) {
+        case 4: return size == ip_read16(&data[2]);
+        case 6: return size == ip_read16(&data[4]) + 40;
     }
 
-static inline uint16_t
-ip_read16(const uint8_t *src)
-{
-    uint16_t ret = src[1];
-    ret |= ((uint16_t)src[0]) << 8;
-    return ret;
-}
-
-static inline size_t
-ip_get_mtu(struct ip_common *ic, const uint8_t *data, size_t size)
-{
-    if (ic->hdr_size <= 0 || ic->hdr_size + 8 > size)
-        return 0;
-
-    const uint8_t *p = &data[ic->hdr_size];
-
-    if (ic->version == 4 && ic->proto == 1 && p[0] == 3)
-        return ip_read16(&p[6]);
-
-    // not tested..
-    // if (ic->version == 6 && ic->proto == 58 && p[0] == 2)
-    //    return ip_read32(&p[4]);
-
     return 0;
 }
 
 static inline int
-ip_get_common(struct ip_common *ic, const uint8_t *data, size_t size)
+ip_get_common(struct ip_common *ic, const uint8_t *data, int size)
 {
-    ic->version = ip_get_version(data, size);
-
-    switch (ic->version) {
+    switch (ip_get_version(data, size)) {
     case 4:
         ic->tc = data[1];
         ic->proto = data[9];
-        ic->hdr_size = (data[0] & 0xF) << 2;
-        ic->size = ip_read16(&data[2]);
-        if (ic->size >= 20)
+        if (size == ip_read16(&data[2])) {
+            const int hdrsize = (data[0] & 0xF) << 2;
+            memset(ic->src.zero, 0, sizeof(ic->src.zero));
+            memset(ic->src.ff, 0xff, sizeof(ic->src.ff));
+            memcpy(ic->src.v4, &data[12], sizeof(ic->src.v4));
+            memset(ic->dst.zero, 0, sizeof(ic->dst.zero));
+            memset(ic->dst.ff, 0xff, sizeof(ic->dst.ff));
+            memcpy(ic->dst.v4, &data[16], sizeof(ic->dst.v4));
+            switch (ic->proto) {
+            case 6:  // tcp
+            case 17: // udp
+                memcpy(ic->src.port, &data[hdrsize], sizeof(ic->src.port));
+                memcpy(ic->dst.port, &data[hdrsize + 2], sizeof(ic->dst.port));
+                break;
+            default:
+                memset(ic->src.port, 0, sizeof(ic->src.port));
+                memset(ic->dst.port, 0, sizeof(ic->dst.port));
+            }
             return 0;
+        }
         break;
     case 6:
         ic->tc = ((data[0] & 0xF) << 4) | (data[1] >> 4);
         ic->proto = data[6];
-        ic->hdr_size = 40;
-        ic->size = ip_read16(&data[4]) + 40;
+        if (size == ip_read16(&data[4]) + 40) {
+            memcpy(ic->src.v6, &data[8], sizeof(ic->src.v6));
+            memcpy(ic->dst.v6, &data[24], sizeof(ic->dst.v6));
+            switch (ic->proto) {
+            case 6:  // tcp
+            case 17: // udp
+                memcpy(ic->src.port, &data[40], sizeof(ic->src.port));
+                memcpy(ic->dst.port, &data[42], sizeof(ic->dst.port));
+                break;
+            default:
+                memset(ic->src.port, 0, sizeof(ic->src.port));
+                memset(ic->dst.port, 0, sizeof(ic->dst.port));
+            }
             return 0;
         }
-
-    return -1;
+        break;
+    }
+
+    return 1;
 }

src/main.c

@@ -8,7 +8,7 @@ volatile sig_atomic_t gt_reload;
 volatile sig_atomic_t gt_quit;
 
 static void
-gt_quit_handler(int sig)
+gt_sa_handler(int sig)
 {
     switch (sig) {
     case SIGALRM:
@@ -30,7 +30,7 @@ gt_set_signal(void)
 
     sigemptyset(&sa.sa_mask);
 
-    sa.sa_handler = gt_quit_handler;
+    sa.sa_handler = gt_sa_handler;
     sigaction(SIGINT, &sa, NULL);
     sigaction(SIGQUIT, &sa, NULL);
     sigaction(SIGTERM, &sa, NULL);
@@ -64,20 +64,20 @@ main(int argc, char **argv)
         {"bench", "start a crypto bench", gt_bench},
         {"bind", "start a new tunnel", gt_bind},
         {"set", "change tunnel properties", gt_set},
+        {"sync", "re-sync tunnels", gt_sync},
         {"keygen", "generate a new secret key", gt_keygen},
         {"path", "manage paths", gt_path},
         {"version", "show version", gt_version},
         {NULL}};
 
-    if (argc < 2)
-        return gt_show(argc, argv);
-
+    if (argv[1]) {
         for (int k = 0; cmd[k].name; k++) {
             if (!str_cmp(cmd[k].name, argv[1]))
                 return cmd[k].call(argc - 1, argv + 1);
         }
+    }
 
-    printf("unknown command `%s', available commands:\n\n", argv[1]);
+    printf("available commands:\n\n");
 
     int len = 0;
 

src/path.c

@@ -4,10 +4,11 @@
 
 #include <stdio.h>
 #include <sys/socket.h>
+#include <unistd.h>
 
 #include "../argz/argz.h"
 
-int
+static int
 gt_path_status(int fd)
 {
     struct ctl_msg req = {
@@ -17,6 +18,8 @@ gt_path_status(int fd)
     if (send(fd, &req, sizeof(struct ctl_msg), 0) == -1)
         return -1;
 
+    int term = isatty(1);
+
     do {
         if (recv(fd, &res, sizeof(struct ctl_msg), 0) == -1)
             return -1;
@@ -27,17 +30,16 @@ gt_path_status(int fd)
         if (!res.ret)
             return 0;
 
-        char bindstr[INET6_ADDRSTRLEN] = {0};
-        char publstr[INET6_ADDRSTRLEN] = {0};
-        char peerstr[INET6_ADDRSTRLEN] = {0};
+        char bindstr[INET6_ADDRSTRLEN];
+        char publstr[INET6_ADDRSTRLEN];
+        char peerstr[INET6_ADDRSTRLEN];
 
-        if (gt_toaddr(bindstr, sizeof(bindstr),
-                      (struct sockaddr *)&res.path_status.local_addr) ||
+        gt_toaddr(bindstr, sizeof(bindstr),
+                  (struct sockaddr *)&res.path_status.local_addr);
         gt_toaddr(publstr, sizeof(publstr),
-                      (struct sockaddr *)&res.path_status.r_addr) ||
+                  (struct sockaddr *)&res.path_status.r_addr);
         gt_toaddr(peerstr, sizeof(peerstr),
-                      (struct sockaddr *)&res.path_status.addr))
-            return -2;
+                  (struct sockaddr *)&res.path_status.addr);
 
         const char *statestr = NULL;
 
@@ -48,18 +50,46 @@ gt_path_status(int fd)
             default:         return -2;
         }
 
-        printf("path %s\n"
-               "  bind:   %s\n"
+        const char *statusstr = res.path_status.ok ? "OK" : "DEGRADED";
+
+        printf(term ? "path %s\n"
+                      "  status:   %s\n"
+                      "  bind:     %s port %"PRIu16"\n"
                       "  public:   %s port %"PRIu16"\n"
                       "  peer:     %s port %"PRIu16"\n"
                       "  mtu:      %zu bytes\n"
-               "  rtt:    %.3f ms\n",
-               statestr, bindstr,
-               publstr, gt_get_port((struct sockaddr *)&res.path_status.r_addr),
-               peerstr, gt_get_port((struct sockaddr *)&res.path_status.addr),
-               res.path_status.mtu.ok + 28U,     /* ip+udp hdr */
-               res.path_status.rtt/(double)1e3);
-
+                      "  rtt:      %.3f ms\n"
+                      "  rttvar:   %.3f ms\n"
+                      "  rate tx:  %"PRIu64" bytes/sec\n"
+                      "  rate rx:  %"PRIu64" bytes/sec\n"
+                      "  total tx: %"PRIu64" packets\n"
+                      "  total rx: %"PRIu64" packets\n"
+                    : "path %s %s"
+                      " %s %"PRIu16
+                      " %s %"PRIu16
+                      " %s %"PRIu16
+                      " %zu"
+                      " %.3f %.3f"
+                      " %"PRIu64
+                      " %"PRIu64
+                      " %"PRIu64
+                      " %"PRIu64
+                      "\n",
+            statestr,
+            statusstr,
+            bindstr[0] ? bindstr : "-",
+            gt_get_port((struct sockaddr *)&res.path_status.local_addr),
+            publstr[0] ? publstr : "-",
+            gt_get_port((struct sockaddr *)&res.path_status.r_addr),
+            peerstr[0] ? peerstr : "-",
+            gt_get_port((struct sockaddr *)&res.path_status.addr),
+            res.path_status.mtu.ok,
+            res.path_status.rtt.val / 1e3,
+            res.path_status.rtt.var / 1e3,
+            res.path_status.rate_tx,
+            res.path_status.rate_rx,
+            res.path_status.send.total,
+            res.path_status.recv.total);
     } while (res.ret == EAGAIN);
 
     return 0;
@@ -74,20 +104,37 @@ gt_path(int argc, char **argv)
         .type = CTL_STATE,
     }, res = {0};
 
+    struct argz ratez[] = {
+        {"tx", "BYTES/SEC", &req.path.rate_tx, argz_bytes},
+        {"rx", "BYTES/SEC", &req.path.rate_rx, argz_bytes},
+        {NULL}};
+
     struct argz pathz[] = {
         {NULL, "IPADDR", &req.path.addr, argz_addr},
         {"dev", "NAME", &dev, argz_str},
         {"up|backup|down", NULL, NULL, argz_option},
+        {"rate", NULL, &ratez, argz_option},
         {NULL}};
 
     if (argz(pathz, argc, argv))
         return 1;
 
-    int fd = ctl_connect("/run/" PACKAGE_NAME, dev);
+    int fd = ctl_connect(GT_RUNDIR, dev);
 
-    if (fd == -1) {
+    if (fd < 0) {
+        switch (fd) {
+        case -1:
             perror("path");
-        ctl_delete(fd);
+            break;
+        case -2:
+            gt_log("no device\n");
+            break;
+        case -3:
+            gt_log("please choose a device\n");
+            break;
+        default:
+            gt_log("couldn't connect\n");
+        }
         return 1;
     }
 
@@ -99,6 +146,8 @@ gt_path(int argc, char **argv)
         if (ret == -2)
             gt_log("bad reply from server\n");
     } else {
+        req.path.state = MUD_EMPTY;
+
         if (argz_is_set(pathz, "up")) {
             req.path.state = MUD_UP;
         } else if (argz_is_set(pathz, "backup")) {
@@ -107,7 +156,6 @@ gt_path(int argc, char **argv)
             req.path.state = MUD_DOWN;
         }
 
-        if (req.path.state)
         ret = ctl_reply(fd, &res, &req);
     }
 
@@ -116,5 +164,5 @@ gt_path(int argc, char **argv)
 
     ctl_delete(fd);
 
-    return 0;
+    return !!ret;
 }

src/set.c

@@ -22,23 +22,23 @@ gt_set_mtu(int fd, size_t mtu)
         return 1;
     }
 
-    printf("mtu set to %i\n", res.mtu);
+    printf("mtu set to %zu\n", res.mtu);
 
     return 0;
 }
 
 static int
-gt_set_timeout(int fd, unsigned long timeout)
+gt_set_kxtimeout(int fd, unsigned long ms)
 {
     struct ctl_msg res, req = {
-        .type = CTL_TIMEOUT,
-        .timeout = timeout,
+        .type = CTL_KXTIMEOUT,
+        .ms = ms,
     };
 
     int ret = ctl_reply(fd, &res, &req);
 
     if (ret) {
-        perror("set timeout");
+        perror("set kxtimeout");
         return 1;
     }
 
@@ -46,11 +46,11 @@ gt_set_timeout(int fd, unsigned long timeout)
 }
 
 static int
-gt_set_timetolerance(int fd, unsigned long timetolerance)
+gt_set_timetolerance(int fd, unsigned long ms)
 {
     struct ctl_msg res, req = {
         .type = CTL_TIMETOLERANCE,
-        .timetolerance = timetolerance,
+        .ms = ms,
     };
 
     int ret = ctl_reply(fd, &res, &req);
@@ -113,24 +113,36 @@ gt_set(int argc, char **argv)
     const char *dev = NULL;
     size_t mtu;
     int tc;
+    unsigned long kxtimeout;
     unsigned long timetolerance;
-    unsigned long timeout;
 
     struct argz pathz[] = {
         {"dev", "NAME", &dev, argz_str},
         {"mtu", "BYTES", &mtu, argz_bytes},
         {"tc", "CS|AF|EF", &tc, gt_argz_tc},
-        {"timeout", "SECONDS", &timeout, argz_time},
+        {"kxtimeout", "SECONDS", &kxtimeout, argz_time},
         {"timetolerance", "SECONDS", &timetolerance, argz_time},
         {NULL}};
 
     if (argz(pathz, argc, argv))
         return 1;
 
-    int fd = ctl_connect("/run/" PACKAGE_NAME, dev);
+    int fd = ctl_connect(GT_RUNDIR, dev);
 
-    if (fd == -1) {
+    if (fd < 0) {
+        switch (fd) {
+        case -1:
             perror("set");
+            break;
+        case -2:
+            gt_log("no device\n");
+            break;
+        case -3:
+            gt_log("please choose a device\n");
+            break;
+        default:
+            gt_log("couldn't connect\n");
+        }
         return 1;
     }
 
@@ -142,8 +154,8 @@ gt_set(int argc, char **argv)
     if (argz_is_set(pathz, "tc"))
         ret |= gt_set_tc(fd, tc);
 
-    if (argz_is_set(pathz, "timeout"))
-        ret |= gt_set_timeout(fd, timeout);
+    if (argz_is_set(pathz, "kxtimeout"))
+        ret |= gt_set_kxtimeout(fd, kxtimeout);
 
     if (argz_is_set(pathz, "timetolerance"))
         ret |= gt_set_timetolerance(fd, timetolerance);

src/show.c

@@ -9,6 +9,7 @@
 #include <dirent.h>
 #include <sys/un.h>
 #include <arpa/inet.h>
+#include <unistd.h>
 
 static int
 gt_show_dev_status(int fd, const char *dev)
@@ -18,34 +19,55 @@ gt_show_dev_status(int fd, const char *dev)
     if (ctl_reply(fd, &res, &req))
         return -1;
 
-    char bindstr[INET6_ADDRSTRLEN] = {0};
-    char peerstr[INET6_ADDRSTRLEN] = {0};
+    char bindstr[INET6_ADDRSTRLEN];
+    char peerstr[INET6_ADDRSTRLEN];
 
-    if (gt_toaddr(bindstr, sizeof(bindstr),
-                  (struct sockaddr *)&res.status.bind))
-        return -2;
+    gt_toaddr(bindstr, sizeof(bindstr),
+              (struct sockaddr *)&res.status.bind);
 
     int server = gt_toaddr(peerstr, sizeof(peerstr),
                            (struct sockaddr *)&res.status.peer);
 
+    int term = isatty(1);
+
     if (server) {
-        printf("server %s:\n"
+        printf(term ? "server %s:\n"
+                      "  pid:       %li\n"
                       "  bind:      %s port %"PRIu16"\n"
                       "  mtu:       %zu\n"
-               "  cipher:    %s\n",
+                      "  cipher:    %s\n"
+                    : "server %s"
+                      " %li"
+                      " %s %"PRIu16
+                      " %zu"
+                      " %s"
+                      "\n",
                dev,
-               bindstr, gt_get_port((struct sockaddr *)&res.status.bind),
+               res.status.pid,
+               bindstr[0] ? bindstr : "-",
+               gt_get_port((struct sockaddr *)&res.status.bind),
                res.status.mtu,
                res.status.chacha ? "chacha20poly1305" : "aes256gcm");
     } else {
-        printf("client %s:\n"
+        printf(term ? "client %s:\n"
+                      "  pid:       %li\n"
                       "  bind:      %s port %"PRIu16"\n"
                       "  peer:      %s port %"PRIu16"\n"
                       "  mtu:       %zu\n"
-               "  cipher:    %s\n",
+                      "  cipher:    %s\n"
+                    : "client %s"
+                      " %li"
+                      " %s %"PRIu16
+                      " %s %"PRIu16
+                      " %zu"
+                      " %s"
+                      "\n",
                dev,
-               bindstr, gt_get_port((struct sockaddr *)&res.status.bind),
-               peerstr, gt_get_port((struct sockaddr *)&res.status.peer),
+               res.status.pid,
+               bindstr[0] ? bindstr : "-",
+               gt_get_port((struct sockaddr *)&res.status.bind),
+               peerstr[0] ? peerstr : "-",
+               gt_get_port((struct sockaddr *)&res.status.peer),
                res.status.mtu,
                res.status.chacha ? "chacha20poly1305" : "aes256gcm");
     }
@@ -56,10 +78,11 @@ gt_show_dev_status(int fd, const char *dev)
 static int
 gt_show_dev(const char *dev)
 {
-    int fd = ctl_connect("/run/" PACKAGE_NAME, dev);
+    int fd = ctl_connect(GT_RUNDIR, dev);
 
-    if (fd == -1) {
-        perror(dev);
+    if (fd < 0) {
+        if (fd == -1)
+            perror("show");
         return -1;
     }
 
@@ -88,12 +111,10 @@ gt_show(int argc, char **argv)
     if (argz(showz, argc, argv))
         return 1;
 
-    if (dev) {
-        gt_show_dev(dev);
-        return 0;
-    }
+    if (dev)
+        return !!gt_show_dev(dev);
 
-    DIR *dp = opendir("/run/" PACKAGE_NAME);
+    DIR *dp = opendir(GT_RUNDIR);
 
     if (!dp) {
         if (errno == ENOENT)
@@ -102,14 +123,15 @@ gt_show(int argc, char **argv)
         return 1;
     }
 
+    int ret = 0;
     struct dirent *d = NULL;
 
     while (d = readdir(dp), d) {
         if (d->d_name[0] != '.')
-            gt_show_dev(d->d_name);
+            ret |= !!gt_show_dev(d->d_name);
     }
 
     closedir(dp);
 
-    return 0;
+    return ret;
 }

src/sync.c

@@ -0,0 +1,76 @@
+#include "common.h"
+#include "ctl.h"
+#include "str.h"
+
+#include "../argz/argz.h"
+
+#include <stdio.h>
+#include <dirent.h>
+
+static int
+gt_sync_dev(const char *dev, unsigned long timeout)
+{
+    const int fd = ctl_connect(GT_RUNDIR, dev);
+
+    if (fd < 0) {
+        if (fd == -1)
+            perror("sync");
+        return 1;
+    }
+
+    struct ctl_msg res, req = {
+        .type = CTL_SYNC,
+    };
+
+    int ret = ctl_reply(fd, &res, &req);
+
+    if (!ret) {
+        if (res.ms > timeout)
+            ret = 1;
+    } else {
+        perror("sync");
+    }
+
+    ctl_delete(fd);
+
+    return ret;
+}
+
+int
+gt_sync(int argc, char **argv)
+{
+    const char *dev = NULL;
+    unsigned long timeout = 20000;
+
+    struct argz syncz[] = {
+        {"dev", "NAME", &dev, argz_str},
+        {"timeout", "SECONDS", &timeout, argz_time},
+        {NULL}};
+
+    if (argz(syncz, argc, argv))
+        return 1;
+
+    if (dev)
+        return !!gt_sync_dev(dev, timeout);
+
+    DIR *dp = opendir(GT_RUNDIR);
+
+    if (!dp) {
+        if (errno == ENOENT)
+            return 0;
+        perror("sync");
+        return 1;
+    }
+
+    int ret = 0;
+    struct dirent *d = NULL;
+
+    while (d = readdir(dp), d) {
+        if (d->d_name[0] != '.')
+            ret |= !!gt_sync_dev(d->d_name, timeout);
+    }
+
+    closedir(dp);
+
+    return ret;
+}

src/tun.c

@@ -224,7 +224,7 @@ tun_write(int fd, const void *data, size_t size)
 #ifdef GT_BSD_TUN
     uint32_t family;
 
-    switch (ip_get_version(data, size)) {
+    switch (ip_get_version(data, (int)size)) {
     case 4:
         family = htonl(AF_INET);
         break;

systemd/glorytun-setup

@@ -59,7 +59,9 @@ TABLE=200
 # keep the current route to HOST
 SRC=$(ip route get "$HOST" | awk '/src/{getline;print $0}' RS=' ')
 ip rule add from "$SRC" table main pref "$((PREF-1))" || true
-glorytun path up "$SRC" dev "$DEV"
+
+# limit to 100Mbit by default
+glorytun path up "$SRC" dev "$DEV" rate rx 12500000 tx 12500000
 
 # forward everything else to the tunnel
 ip rule add from all table "$TABLE" pref "$PREF" || true

version.sh

@@ -1,13 +1,15 @@
 #!/bin/sh
 
-[ -z "${VERSION}" ] && VERSION=`git describe --tags --match='v[0-9].*' 2>/dev/null` \
-                    && VERSION=${VERSION#v}
+export GIT_DIR=.git
+export GIT_WORK_TREE=.
 
-[ -z "${VERSION}" ] && VERSION=`cat VERSION 2>/dev/null`
+[ -z "$VERSION" ] && VERSION="$(git describe --tags --match='v[0-9].*' 2>/dev/null)" \
+                  && VERSION="${VERSION#v}"
 
-[ -z "${VERSION}" ] && VERSION=0.0.0
+[ -z "$VERSION" ] && VERSION="$(git rev-parse HEAD 2>/dev/null)"
 
-[ "$1" = "major"  ] && printf ${VERSION%%.*} \
-                    && exit 0
+[ -z "$VERSION" ] && VERSION="$(cat VERSION 2>/dev/null)"
 
-printf ${VERSION} | tee VERSION
+[ -z "$VERSION" ] && VERSION="0.0.0"
+
+printf "%s" "$VERSION" | tee VERSION